Breaking Google's DRM 892
An anonymous reader writes "Google's new Google Print service (that lets you see scanned pages from printed books) has a pile of advanced browser-disabling DRM in it ('Pages displaying your content have print, cut, copy, and save functionality disabled in order to protect your content.'). This works with JavaScript turned off, even in Free Software browsers. Seth Schoen has posted preliminary notes on some breaks to the DRM (beyond just automating a screenshotting process), including a proposal for a circumventing proxy that would fetch Google Print pages and strip out the DRM. A full exploration of the html obfuscation and DRM employed by Google would be very interesting; certainly the ability for a remote attacker to disable critical browser features like save, right-click, copy and cut against the user's wishes is a major security vulnerability in Moz/Firefox and should be fixed ASAP."
Google are Evil (Score:0, Interesting)
So? (Score:5, Interesting)
Does this mean that Google is now officially an Evil Company(TM)?
Critical Features? (Score:2, Interesting)
A little extreme journalism? Such functions (and lacks thereof) have been around across the various browsers for years now. People want to protect their work. Big deal. I'm sure that there will be black hats who will find a way around any copy protection process. Be it for DVD, MP3, Windows Media, AAC, PDF, etc. Legal to do so? Perhaps? Does that make it ethical? Probably not.
The simple fact is... (Score:1, Interesting)
Google is scary enough to think about, what with their gargantuan server farm, their bizarre "don't delete your email (and even if you do, we're going to keep a copy)" policy, their odd way of censoring things in image and web results, but now we have a Google that has come right out and made it possible to really strip a web browser's secondary functionality?
I think it is time to stop treating Google as the mystic, all-holy and wonderful search engine and perhaps begin treating it as a hostile assault on the general idea and purposes of the web.
I hope that doesn't sound too extreme....
It doesn't matter... (Score:4, Interesting)
The point is that it is "good enough" to stop the average person from lifting the material.
If you're determined enough, nothing is going to stop you from getting what you want.
Please provide demo URLs (Score:5, Interesting)
I do agree that this is a security problem. We already have options in some browsers (I use Firefox, for example) to block sites from changing status bar text, changing images, etc. And there was no fuss about that. I think disabling such basic functions as copy, paste, print falls in the same "no-no" category as changing statusbar text, changing images, etc.
A site presents a page in a certain way, but I as the user get to select how I view it, with what functions I want to view it, which parts of the site I want active and which ones I don't. You can't force me to accept what I don't want to accept. If I set my software to ignore part of your site, that's my choice, not yours.
You don't go disabling functions in users' browsers. You let them do that themselves. Conversely, you don't enable stuff the user didn't enable themselves.
Isn't it now about to be illegal to go changing peoples' browser settings via the use of spyware? Doesn't this come awfully close to doing the same thing? If it changes how my software behaves, it's awfully close to being malware.
Why use DRM in the first place? (Score:3, Interesting)
It's a documentation problem ... (Score:3, Interesting)
"Pages displaying your content have print, cut, copy, and save functionality disabled in order to protect your content."
to:
"Pages displaying your content have print, cut, copy, and save functionality disabled in order to protect your content from most users."
It's magic.
Re:Security issue? (Score:1, Interesting)
To bad it doesnt work at all (Score:3, Interesting)
I can copy text in both IE and Firefox...
wget is forbidden (Score:5, Interesting)
Resolving print.google.com... done.
Connecting to print.google.com[64.233.161.118]:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
09:44:53 ERROR 403: Forbidden.
Comment removed (Score:5, Interesting)
Easy! Here's how I did it. (Score:3, Interesting)
2. Do a "View Source"
3. search for this: ".theimg { background-image:url"
4. copy the URL from that place, into a new browser.
5. ???
6. Profit!
scripting this should be ludicrously easy.
Re:Security issue? (Score:5, Interesting)
For example, some people have a habit of right-clicking, then selecting the back option from there (I find that odd but I know people who do that). If they right-click a page and get a message screaming at them for daring to right-click, which they did to just get out of the page, they tend to get a negative impression of the site and feel like they are being trapped there.
So yes, I see it as a security vulnerability... because it means that a site has control over software installed on the user's computer and doesn't ask for consent before it goes changing how that software behaves. Maybe for some people it's not a big deal to find that the cut button doesn't work, but who says it'll stop there? What else is the browser going to roll over and obey? Allowing such basic functions to be turned off is a mistake that no software should ever make. It is indeed a security problem.
At the very least, the user should see a message displayed that says "This site has requested the following interface changes. Allow or deny?" (or similar.) Ideally, the browser should have a "permissions" setting set like Firefox's Javascript permissions list.
I'd like to see something like this, for instance, in Firefox's security settings near the Javascript permission settings:
Block sites from:
[X] Disabling menu items
[X] Disabling right-click context menus
[X] Opening new windows (single-window mode)
And so on. Does that really look so unreasonable and out of place? Looks fine to me
Re:For those with tinfoil hats (Score:5, Interesting)
If a DRM scheme depends on a bug in a product, and the product manufacturer corrects the bug to improve their product, has the DMCA been violated?
Basically, can a DRM scheme cement bugs in place by exploiting them?
Google's DRM broken by Spiderzilla (Score:3, Interesting)
To reproduce:
- Install the Spiderzilla XPI. I installed with Moz v0.7.3 on WinXP.
- Visit google. I searched for "Mastering Digital Photography". The top result is a book.
- Fire up Spiderzilla (Tools -> Download this site)
- Use the defaults. I did.
- Go into whatever you named your project, then go into the "print.google.com" folder. The big images are what you're looking for.
- Use some OCR or something.
Note: I actually like Google. I don't think they're evil, nor do I think they're bad/wrong/stupid.
Well, maybe a little stupid - on this particular project. As many others have pointed out, google delivered content to your (my) screen. At that point, it's exceedingly difficult to prevent me from taking that content and running with it. Surely they expected this to happen and simply did the best they could to prevent it? I can't image they assumed their restrictive measures would defeat misuse attempts by anyone other than the most casual user of this service.
Google Print is down (Score:3, Interesting)
A different kind of DRM (Score:2, Interesting)
The Point? (Score:4, Interesting)
Really who is going to print out all 600 pages of the newest Tom Clancey book, then goto the effort of binding them together. It'd cost more in paper, ink, time & energy than to just buy the book.
Sure if it were a cooking book or something someone might only want 1 page. But then again, if they want 1 page they can just write it down.
Seems like a big waste of time and money to me, but then again after the IPO they have money to blow.
Re:very easy to break... (Score:4, Interesting)
- Firefox 0.9.3
- Javascript on, but all the little check boxes off
- Not allowing any site to override my css
- Images from originating website only
I cannot even see any evidence of DRM, i can print, copy, paste, etc..
Perhaps I'm doing something wrong. ?
Re:That explains those mysterious hirings (Score:2, Interesting)
Just thought I'd remind you.
Re:Security issue? (Score:3, Interesting)
Block sites from:
[X] Disabling menu items
[X] Disabling right-click context menus
[X] Opening new windows (single-window mode)
Actualy, in mozilla, (I'm not sure about firefox, but I'd assume it's the same) You'll get the annoying dialog, but then the context menu will apear anyway.
Re:Security issue? (Score:5, Interesting)
> including the decision of which software to install, and which services you
> choose to use.
Unfortunately, that is the idea behind "trusted" computing. You no longer have full control over your own machine, you can only run applications "trusted" by those controlling the DRM. As soon as you run an untrusted app, you cannot run a trusted application. Typically, in this case the trusted app would be a DRM compliant browser. Attempt to fire up mozilla or anything that can otherwise image the data (even from a screenshot) and the it will not be allowed to run, or if it does the trusted apps will immediately shut down. At least in theory, that is how it is supposed to work.
Of course, nothing would stop you from capturing the screen from a camera on a second PC synchronized to the frame rate. It just makes things awkward.
how about wget? (Score:2, Interesting)
I own anything on my screen (Score:2, Interesting)
If I can see it, I own it, end of story.
And really, if you don't want people to see your 'copyrighted' content, don't put it on the internet!
Disclaimer? (Score:1, Interesting)
How 'bout Google has a disclaimer on any of its matches that include GooglePrint?
Something to the effect of "By clicking here to view GooglePrint results, you acknowledge that your browser functionality will be limited to view-only in order to prevent copyright infringement."
Don't like it? Don't click.
Re:Security issue? (Score:3, Interesting)
However, and I too would like firefox to disable right click blocking.
But bad reviews does not a security issue make, and that's the topic of this thread. While it's annoying and I'd like to see Firefox tackle the right click issue, I don't think we should go after the rest of what Google's DRM might entail.
(BTW, quick question.. If some of Google's DRM relied on a bug in Firefox, and that bug was later fixed to solve a problem unrelated to the DRM, would that constitute a violation of the DMCA, as Google's DRM would no longer work in the future releases?? Kinda makes you think...)
Imagine... (Score:3, Interesting)
Why imagine that? Well, it's the logical conclusion. DRM is fundamentally unworkable, for the reasons Cory Doctorow explains so eloquently. So the only thing that will stop unlimited copying is legal restrictions, and if enough people decide to ignore the law, the law doesn't work. So imagine this future because the real future may look a lot like it.
Now, would such a future be bad? If we didn't have 100,000 new romance novels published each year, would that be bad? If we didn't have Stephen King making millions of dollars on his books, would that be bad?
If the only people writing were people who just had to write, because they had a burning desire to say something that they thought mattered, it would not be the end of civilization. In fact, it might improve civilization, because the books that actually said something wouldn't get lost in the overwhelming flood of "no message, just plot" books written by people who didn't really care about saying something, but just wanted to make a buck...
Raw image in under 10 seconds (Score:3, Interesting)
tar -xzvf blah.war 2print
Hey, look, a JPEG.
Takes all of 10 seconds at my typing speed. No dicking around with browser settings, DOM trees, right clicking, etc.
c.
Re:It's doomed. (Score:2, Interesting)
Re:That explains those mysterious hirings (Score:2, Interesting)
Well, yes, but... Atheism states that since there is no decent evidence for God's existance, there is no reason to believe in God's existance. Agnosticism states that there is no way to prove whether God exists or not. Notice carefully that those are *not* competing positions. You can be both agnostic & atheistic at the same time, or one and not the other, or neither.
Re:That explains those mysterious hirings (Score:2, Interesting)
Your approximation of reality does not have a god. Mine does. No one knows what reality actually holds.
And your belief is an appeal to ignorance [nizkor.org].
Nothing to see here, move along. (Score:4, Interesting)
It's simple - the image is done as the background image for an HTML element. There's nothing to stop you linking directly to the content: sample image [google.com], for example.
You can't right click on it because it's a background graphic. But you sure as hell could write a robot script that went and downloaded pages.
If they're clever, they'll watermark each image as it is served, so they can tell who's copying what (well, down to the originating IP, anyway).
Re:That explains those mysterious hirings (Score:3, Interesting)
Javascript: Edit browser code to silently ignore instructions that override right clicks and menu options.
ANY approach that doesn't force you to install and run a binary: Have the browser dump downloaded files to a directory of your choice. Alternatively, disable the cache timeout. Then browse the website as a human would, and later you have your copy.
Something akin to masquerading could be used if the files need to appear to be coming from the Google server.
If you have the source to the rendering device (the browser) and it is displayed on the screen, it can be copied.
Re:That explains those mysterious hirings (Score:3, Interesting)
I don't have to be convinced of my correctness to consider others who *are* to be idiots for thier false sense of certainty.
And "Foo does not exist" is actually the default hypothesis in the face of no evidence for Foo (since it's falsifiable, and the inverse is not). So the statement "God doesn't exist" is not that far off from the statement "I don't believe god exists". In practical terms they end up pretty much the same, since people go around believing various things don't exist for which they have no proof they don't exist. Do you believe there is a pink unicorn standing on your car right now? Do you have proof it's not there yet? Even before you go outside and look at your car, you are already pretty well convinced that unicorn is not there.
And if you did say that you thought there was a good chance it could be there just because it's not disproven yet, then I would be right to call you a mindless retard for it.
Why then does the issue change when the thing in question is God?
Re:For those with tinfoil hats (Score:3, Interesting)
VCRs that didn't suffer from the AGC bug which makes Macrovision work are required by the DMCA to add that bug or something else to make Macrovision work!
If I were a VCR manufacturer, I'd record a screen with the following text: "This VCR is refusing to record this signal because to do so would be a violation of Federal law 17 USC 1201(k)". Make it obvious it is their gov't setting the rules - so people could vote out those people who pass such laws.
Re:Security issue? (Score:2, Interesting)
I probably shouldn't bother with this, but I have to ask. And please recall that this thread initially started around the topic of disabling the cut, copy, save and print features.
You said:
Copyright is, by intent, limited: It controls reproduction, public performance, and several other actions, and no more.
How are the cut/copy/save/print functions not reproduction? Aren't you taking a copy of said work and reproducing it in some other location/format/whatever? Presumably, you aren't the copyright holder, thus your ability to reproduce the work has been limited. (If you are the copyright holder you don't need to go to Google Print to reproduce your work, do you?)
In this case copyright is not abused.
The material presented is legitimately copyrighted. This form of copyright, apparently, does not allow for free duplication and distribution. We are all used to the idea that material presented on the web is available for free use. This doesn't mean that everything has to follow that model.
If you have a problem with Google Print then don't use it. More importantly, tell Google why.
Now, I'll give you that disabling right-click entirely is annoying and could be called a nuisance. But if there is no way to disable just the copy (and copy-esque elements) in the right-click menu then so be it. Besides, I use ALT + LEFT more often anyway.
OK, ready for decimation.
-r
Here's one way to fix this "DRM" on Firefox (Score:4, Interesting)
2. Add this URL to its block list:
http://print.google.com/images/cleardot.gi
3. Disable "collapse blocked elements" in Adblock while browsing Google Print.
4. Pick "View Background Image", then "Save Image As..."
I guess someone will come up with a Firefox extension in no time that will just add a context menu option called "Save Background Image as..."
Re:That explains those mysterious hirings (Score:5, Interesting)
<style type="text/css" media="print">
</style>
<div class="hidden">
<div style='background-image:url("http://print.google.
<img src="clear.gif" width=575 height=752>
</div>
</div>
It's a cool technique. But I can'timagine how hundreds of people on slashdot can look at this without more than half a dozen knowing how it's done.
Re:Google has to do it, not make it work (Score:1, Interesting)
Well, as an editor at Wiley, I'm happy enough with the current system to contribute my books to the service. From my point of view it's about making my books relevant again to a generation who doesn't turn to books as a primary source of information (and I'm a member of this generation). People will be able to read my books for free on google, but I don't believe most people doing this would have bought these books to begin with, so there's no lost sale. On the other hand, if even one extra person buys one of my books after seeing it come up through a google or a9 search, then that's extra revenue we wouldn't have seen otherwise.
Re:That explains those mysterious hirings (Score:3, Interesting)
Re:That explains those mysterious hirings (Score:3, Interesting)
it would not be possible to derive the conclusion
from those premises. that is not a criticism.
therefore, those arguments from first cause which
do not fall into the first category remain unimpugned.
as regards denying the premise, i infer from your
earlier post that you are referring to the
implication of regress in cause. but any argument
which holds that the first cause is outside of
the (partially-)ordered set which is the domain
of the regress does not imply an
infinite regress, and is thus immune to your criticism.
if you ask what caused the first cause, you make
a category mistake. temporal causality does not
apply to a factor or agency which has no temporal evolution.
Re:That explains those mysterious hirings (Score:2, Interesting)
Stories in the holy books are myths. By definition, religions are based in mythology.
Please, try and contradict my point. I'd like a laugh.