Forgot your password?
typodupeerror
Google Businesses The Internet

Breaking Google's DRM 892

Posted by michael
from the don't-be-evil dept.
An anonymous reader writes "Google's new Google Print service (that lets you see scanned pages from printed books) has a pile of advanced browser-disabling DRM in it ('Pages displaying your content have print, cut, copy, and save functionality disabled in order to protect your content.'). This works with JavaScript turned off, even in Free Software browsers. Seth Schoen has posted preliminary notes on some breaks to the DRM (beyond just automating a screenshotting process), including a proposal for a circumventing proxy that would fetch Google Print pages and strip out the DRM. A full exploration of the html obfuscation and DRM employed by Google would be very interesting; certainly the ability for a remote attacker to disable critical browser features like save, right-click, copy and cut against the user's wishes is a major security vulnerability in Moz/Firefox and should be fixed ASAP."
This discussion has been archived. No new comments can be posted.

Breaking Google's DRM

Comments Filter:
  • by waynegoode (758645) * on Friday October 08, 2004 @12:25PM (#10470721) Homepage
    Knowing how to develop stuff like this is not a skill everyone has. This might explain why Google recently hired [nypost.com] some browser-type software developers (as discussed on Slashdot [slashdot.org]).
  • Security issue? (Score:5, Insightful)

    by radish (98371) on Friday October 08, 2004 @12:26PM (#10470733) Homepage

    certainly the ability for a remote attacker to disable critical browser features like save, right-click, copy and cut against the user's wishes is a major security vulnerability in Moz/Firefox and should be fixed ASAP

    While I agree it would be nice to fix this from a convenience point of view, and a "it's my computer - it'll do what I want" point of view, how is this a security risk? How do I get a trojan, or lose files, because of an inability to copy & paste on a particular page?
    • Re:Security issue? (Score:5, Insightful)

      by Rude Turnip (49495) <valuation@@@gmail...com> on Friday October 08, 2004 @12:30PM (#10470780)
      "...how is this a security risk?"

      A part of your security is having control over your computer. Your security has been compromised when you lose that control.

      • Re:Security issue? (Score:5, Insightful)

        by American AC in Paris (230456) * on Friday October 08, 2004 @12:39PM (#10470917) Homepage
        A part of your security is having control over your computer. Your security has been compromised when you lose that control.

        ...by this logic, an operating system that does not permit a user to dive directly to an arbitrary RAM address and twiddle bits is an operating system that poses a security risk, as you've lost the control to directly manipulate your machine's memory.

      • Re:Security issue? (Score:5, Insightful)

        by rackhamh (217889) on Friday October 08, 2004 @12:47PM (#10471045)
        Your computer is a physical piece of hardware. Unless somebody has locked the case and/or tied your hands behind your back, you retain full control over it... including the decision of which software to install, and which services you choose to use.

        If Google Print doesn't offer the save/print/whatever functionality you desire, then don't use it.

        There, you just exercised your control over your computer.
        • Re:Security issue? (Score:5, Interesting)

          by earthforce_1 (454968) <earthforce_1@@@yahoo...com> on Friday October 08, 2004 @01:31PM (#10471655) Journal
          >Your computer is a physical piece of hardware. Unless somebody has locked the case > and/or tied your hands behind your back, you retain full control over it...
          > including the decision of which software to install, and which services you
          > choose to use.

          Unfortunately, that is the idea behind "trusted" computing. You no longer have full control over your own machine, you can only run applications "trusted" by those controlling the DRM. As soon as you run an untrusted app, you cannot run a trusted application. Typically, in this case the trusted app would be a DRM compliant browser. Attempt to fire up mozilla or anything that can otherwise image the data (even from a screenshot) and the it will not be allowed to run, or if it does the trusted apps will immediately shut down. At least in theory, that is how it is supposed to work.

          Of course, nothing would stop you from capturing the screen from a camera on a second PC synchronized to the frame rate. It just makes things awkward.
          • by argent (18001) <peterNO@SPAMslashdot.2006.taronga.com> on Friday October 08, 2004 @02:18PM (#10472354) Homepage Journal
            Unfortunately, that is the idea behind "trusted" computing. You no longer have full control over your own machine, you can only run applications "trusted" by those controlling the DRM.

            This used to be called "Mandatory Access Control" (MAC, as opposed to the kind of multiuser protection most people deal with... "Discretionary Access Control") before Microsoft decided to change the definition of "trust".

            As soon as you run an untrusted app, you cannot run a trusted application.

            This is one way of doing it. Another way is to create a compartmentalised environment, where applications can not get information from compartments with a higher classification, nor transfer information to compartments of a lower classification.

            Ironically, THIS kind of MAC environment under administrative control can be a major security enhancement. You could create a compartment with "untrusted classification"... which would effectively have fewer rights than even a normal application... and force users to run their web browsers and other untrusted applications inside it. Not only couldn't they bet attacked through the browser, they couldn't even be suborned or tricked by a social engineering attack into breaking the security (that's the main point of MAC, really). Unfortunately, Windows doesn't seem to have any kind of generic MAC mechanism that could be used this way.
      • Re:Security issue? (Score:5, Insightful)

        by Feanturi (99866) on Friday October 08, 2004 @01:08PM (#10471333)
        That definition's too broad though. Is crippleware of any sort then, a security risk? That doesn't make sense. Though, we're talking about a full app here that already saves other things fine but just not this particular content. So what? How is that a loss of 'control'? I still have control over *my* system, just not the ability to manipulate *someone else's* material.
        • Re:Security issue? (Score:5, Insightful)

          by cduffy (652) <charles+slashdot@dyfis.net> on Friday October 08, 2004 @02:03PM (#10472136)
          This is distinctly unlike crippleware, unless that crippleware were to (for instance) disable some OS-level functionality until it's paid for.

          Web content shouldn't be able to affect browser functionality without the user's consent, just the same as an application shouldn't be able to disable a part of the OS.

          Finally, and I've said this elsewhere: It's not "someone else's" material in the sense that they have complete and total ownership; it's "someone else's" material in the sense that they own copyright over it. Copyright is, by intent, limited: It controls reproduction, public performance, and several other actions, and no more. It also have a number of execeptions where reproduction and so forth can be permitted (for instance, exerpting for a review).

          Pretending that ownership of the exclusive right to reproduce (and some other actions as well) is equivalent to complete and total control is a modern myth -- but if folks folks don't fight for that distinction, we may well lose it; and in that case, it's the public as a whole that misses out.
      • Re:Security issue? (Score:5, Insightful)

        by radish (98371) on Friday October 08, 2004 @02:16PM (#10472338) Homepage
        You have complete control. Don't go to that site. See? Easy. No one is forcing you to use this service. If you choose to use it, you are subject to certain rules, one of which is - no copy & paste. Don't like the rules? Don't use the service.

        Counter Example 1: Many popular games won't run without the CD in the drive. In other words, if you try to start the app without the CD, it will not do what you want (it will exit). Did you just lose control of your computer? Is your security at risk? Of course not.

        Counter Example 2: Hard drives have firmware built into them. It is this firmware, not any software on the machine itself, which controls exactly where on the disk data is written. If this firmware fails, data can be lost. This firmware is in ROM, on the drive itself. When you save a file you are trusting it to do the right thing, whatsmore, there's no way you can actually tell what it is doing, or affect what it does. Have you lost control? Is your security compromised?
    • Re:Security issue? (Score:5, Insightful)

      by lukewarmfusion (726141) on Friday October 08, 2004 @12:30PM (#10470791) Homepage Journal
      No kidding... you may not like having those features disabled, but calling them a "security vulnerability" is like shouting "terrorist" because you don't like what someone else says.

      There are plenty of sites that go to great lengths to turn off functionality like copy, back button, print, etc. When a major corporation does it, suddenly it's a risk?

      Google can only offer that information because they can employ DRM.
      • Re:Security issue? (Score:5, Interesting)

        by Buran (150348) on Friday October 08, 2004 @12:51PM (#10471095)
        And a lot of places give those sites negative reviews, and it's well deserved -- people expect basic functions like right-click, copy, paste, back, etc. to function normally wherever they go. Users have come to expect that.

        For example, some people have a habit of right-clicking, then selecting the back option from there (I find that odd but I know people who do that). If they right-click a page and get a message screaming at them for daring to right-click, which they did to just get out of the page, they tend to get a negative impression of the site and feel like they are being trapped there.

        So yes, I see it as a security vulnerability... because it means that a site has control over software installed on the user's computer and doesn't ask for consent before it goes changing how that software behaves. Maybe for some people it's not a big deal to find that the cut button doesn't work, but who says it'll stop there? What else is the browser going to roll over and obey? Allowing such basic functions to be turned off is a mistake that no software should ever make. It is indeed a security problem.

        At the very least, the user should see a message displayed that says "This site has requested the following interface changes. Allow or deny?" (or similar.) Ideally, the browser should have a "permissions" setting set like Firefox's Javascript permissions list.

        I'd like to see something like this, for instance, in Firefox's security settings near the Javascript permission settings:

        Block sites from:

        [X] Disabling menu items
        [X] Disabling right-click context menus
        [X] Opening new windows (single-window mode)


        And so on. Does that really look so unreasonable and out of place? Looks fine to me ...
        • Re:Security issue? (Score:3, Interesting)

          by autopr0n (534291)
          I'd like to see something like this, for instance, in Firefox's security settings near the Javascript permission settings:

          Block sites from:

          [X] Disabling menu items
          [X] Disabling right-click context menus
          [X] Opening new windows (single-window mode)

          Actualy, in mozilla, (I'm not sure about firefox, but I'd assume it's the same) You'll get the annoying dialog, but then the context menu will apear anyway.
        • Re:Security issue? (Score:3, Interesting)

          by BobPaul (710574) *
          I agree to an extent. Disabling right click is extremely annoying and it always fsks with my mouse gestures...

          However, and I too would like firefox to disable right click blocking.

          But bad reviews does not a security issue make, and that's the topic of this thread. While it's annoying and I'd like to see Firefox tackle the right click issue, I don't think we should go after the rest of what Google's DRM might entail.

          (BTW, quick question.. If some of Google's DRM relied on a bug in Firefox, and that bug wa
        • Re:Security issue? (Score:5, Informative)

          by Plutor (2994) on Friday October 08, 2004 @02:16PM (#10472335) Homepage
          I'd like to see something like this, for instance, in Firefox's security settings near the Javascript permission settings:

          Block sites from:
          [X] Disabling right-click context menus


          In Firefox:
          * "Edit" -> "Preferences"
          * Select "Web Features"
          * Click the "Advanced" button next to "Enable JavaScript"
          * Uncheck "Disable or replace context menus"
          (This was bug 86193, checked into the code in March. It's in 1.0PR)

          As for single-window mode, there are plenty of extensions. Try the one called "Tabbrowser Extensions [sakura.ne.jp]", for instance.
      • Re:Security issue? (Score:3, Insightful)

        by mpcooke3 (306161)
        Maybe it's not a security vulnerability but it's probably not a good idea to allow the modification of browser-application functionality on a per website basis.
      • Re:Security issue? (Score:3, Insightful)

        by troykoelling (315083)
        Here here! Google's "do no evil" mantra is really not getting the respect it deserves. Between the gmail FS and attempting to break this copy protection which aims to give people information for free... I don't know why they don't just give up and use that monopoly they hold over the search business. And that wouldn't be the worst part, it's young impressionable people like me who start to wonder if it's worth following their role model when so many greedy slashdotters want to exploit their every move.
    • by ImaLamer (260199) <john@lamar.gmail@com> on Friday October 08, 2004 @12:56PM (#10471162) Homepage Journal
      Question #5 states:

      What can I do with books that I find?

      Well, you can browse a few pages, learn more about the topics explored by the book, buy it, or commit a selection to memory. To further protect your book content, printing and image copying functions are disabled on all Google Print content pages.

      I don't see the big deal. As long as they let me still use "back", "forward" and "exit" I'll be happy. Sure it sucks that you might have to buy a book or write down your favorite quote, but it's free as in gratis at this point.

      Amazon only lets you get about 3 pages into a book and usually you can't leave the introduction.
      • by Arkhan (240130) on Friday October 08, 2004 @02:24PM (#10472433)
        You can read the entire book on Amazon -- it is just a little annoying. Amazon will let you read +/- 2 pages from the first page or any page that contains your search results from "search this book".

        So:

        • Start at the beginning of the book
        • Read 3 pages
        • Pick a phrase on the third page
        • Search for that phrase within the book
        • Click the search result for the third page
        • Read the next two pages
        • Pick a phrase on the fifth page
        • Search for that phrase within the book
        • Click the search result for the fifth page
        • Read the next two pages
        • Repeat until end of book
        It's irritating, but when you're trying to find a passage in the book and the three-page limit smacks you, you can use this method to get more of the book (or all of it, if you have the patience).
    • Re:Security issue? (Score:4, Insightful)

      by Artifakt (700173) on Friday October 08, 2004 @01:05PM (#10471278)
      It's not necessarily possible this can be used to spread some other package, like an attached trojan. How about viewing it as the possible warhead, not the delivery system. I.e., a modifed existing virus or trojan exploits this vulnerability to turn off features like save, copy, (or maybe print) in your browser. You're trying to copy or print legally distributed content, such as instructions for removing the virus, and this slows you down. For that percentage of viruses written to be annoying, this feature looks like a great one to add to printing stupid Leet'speak on the screen, making the mouse pointer jump around, and such tricks.
      Or it can be viewed as an element of a DoS. Imagine a political website that has content they want to freely distribute. Infecting a number of site visitors with something, that as one of its effects, screws up copying or saving that content, is likely to be taken by most of the site's visitors as just a case of the site not having its HTML up to par. The site is effectively under an attack which it may never know happened, unless it gets enough visitor complaints.
    • The Point? (Score:4, Interesting)

      by paragon_au (730772) on Friday October 08, 2004 @01:07PM (#10471321)
      I don't even see the point to this.

      Really who is going to print out all 600 pages of the newest Tom Clancey book, then goto the effort of binding them together. It'd cost more in paper, ink, time & energy than to just buy the book.

      Sure if it were a cooking book or something someone might only want 1 page. But then again, if they want 1 page they can just write it down.

      Seems like a big waste of time and money to me, but then again after the IPO they have money to blow.
  • It's doomed. (Score:5, Insightful)

    by gowen (141411) <gwowen@gmail.com> on Friday October 08, 2004 @12:28PM (#10470751) Homepage Journal
    Facts :

    i) To display the books, they've got to send that information to the browser, on your machine.
    ii) Once its displayable on your machine, there is *absolutely* no way they can stop a determined person from printing it.
    iii) If its going to work on Open-Souce browsers, the DRM must be fairly transparent.
    iv) If it works on Open Source browsers, someone cleverer than me will modify that browser so that it works as the user intends, rather than the sender. Their only protection is the DMCA, which may stop a US coder from writing/distributing the hacked app, but the rest of us will be laughing.

    Frankly, if Google were as smart as they're hyped to be, they'd know this.
    • It doesn't matter... (Score:4, Interesting)

      by wyoung76 (764124) on Friday October 08, 2004 @12:32PM (#10470816)
      ... if their DRM can be broken or not.

      The point is that it is "good enough" to stop the average person from lifting the material.

      If you're determined enough, nothing is going to stop you from getting what you want.
    • Re:It's doomed. (Score:3, Insightful)

      by Firehawke (50498)
      What makes you think they don't know this? It's like copy protection-- they only need to make it hard enough to discourage casual capture and printing.
    • Re:It's doomed. (Score:5, Insightful)

      by ricotest (807136) on Friday October 08, 2004 @12:40PM (#10470934)
      You should be thankful they used an open-source browser friendly technique. They could have just as easily wrapped the images in ActiveX or maybe Java in such a way that the data is never cached in an accessible form. The only way to get the image would then be screen-capture (made even harder if they used the graphics card buffer, but maybe that's overkill)

      Do you want Google to drop this technique and go for something more proprietary that won't work at all?
    • by Naikrovek (667) <jjohnson@[ ].com ['psg' in gap]> on Friday October 08, 2004 @12:41PM (#10470945)
      why do they not simply create an HTML table, make it [image width] cells wide, and [image height] rows, insert a 1x1 clear gif in each cell and change the bgcolor of each cell to the color on the corresponding image?

      while they work on that i'm gonna upgrade my memory.
      • Re:It's doomed. (Score:5, Informative)

        by markhb (11721) on Friday October 08, 2004 @01:02PM (#10471244) Journal
        I just looked at the page source code... they actually did something very similar to this. They create a table cell, set the background image to the book page (it's fed out of their search engine as opposed to being a static image link, so I imagine the backend screens based on http_referer or something), and then stretch a 1x1 transparent gif over the table cell. "Show Image" then shows the transparent gif, and there is no "show background image" since we are over a foreground image.

        They also use the standard context-menu disabling Javascript, which IE respects (and Mozilla does as well if you tell it to). Other than this (standard-issue) trick, they aren't doing anything sneaky to the user's browser at all. They could even disable the DRM for non-copyright pages if they wanted to (don't use the transparent cover image, and don't disable the context menu). All in all, it seems like a pretty slick implementation!
    • Re:It's doomed. (Score:3, Insightful)

      by mqx (792882)

      "ii) Once its displayable on your machine, there is *absolutely* no way they can stop a determined person from printing it."

      Of course, it's like breaking encryption: it comes down to a matter of economics -- while determination and effort can be used to break it, it's likely to cost you more time and effort than spending money, such as going and buying a copy of the book.

      Many things work on this principle.
  • by bLindmOnkey (744643) on Friday October 08, 2004 @12:29PM (#10470765)
    and so begins a new age of literature piracy
    • by dykofone (787059) on Friday October 08, 2004 @12:47PM (#10471042) Homepage
      And I say let the revolution begin!

      The BPAA (Book Publishers Association of America) has destroyed literature by stifling innovation and branding it's own pop authors that it force feeds to the masses. Why, I can't go outside without being forced to read the latest chart topper.

      And really, why should I be forced to pay $20 for a whole book when only a few chapters in it are any good, and I could just download those from google or have a friend make me a copy.

    • How do you mean "begin"? Plenty of books on Kazaa and many of them aren't exactly legal.
      And how about Usenet?
  • by Mr_Silver (213637) on Friday October 08, 2004 @12:29PM (#10470770)
    Seth Schoen has posted preliminary notes on some breaks to the DRM (beyond just automating a screenshotting process), including a proposal for a circumventing proxy that would fetch Google Print pages and strip out the DRM.

    Whilst I'm all for breaking DRM that hinders the rights you have to use your content in the way you want - this just looks like breaking DRM to get stuff for free.

    If that really is the case, then I'm extremely concerned that someone is doing this. Mainly because it adds extra ammunition to those who (wrongly) try to push the line that the only people who want to break DRM are those who want to rip people off.

    • by ImaLamer (260199) <john@lamar.gmail@com> on Friday October 08, 2004 @12:36PM (#10470875) Homepage Journal
      this just looks like breaking DRM to get stuff for free.

      You are 100% right.

      It isn't about "security" or even "fair use" it's about the ability to cut and paste, save and print someone else's content without their permissions.

      I could understand if you owned the books but you don't. Sounds like a good way to bite the hand that feeds you.

      If you are really concerned with Google messing with your browser... don't go to any Google domain, ever. Add an entry in your HOSTS file for google, froogle, gmail, gbrowser and whatever else you'd like.

      It's a free service, free in the sense that you are free not to use it.
      • by phurley (65499) on Friday October 08, 2004 @12:51PM (#10471098) Homepage
        Even within the framework of our eroding copyright laws, fair use allows quoting of copyrighted works. Why should I not be allowed to cut and paste (to prevent distorting a quote)? So I would say this is not an open and shut case.

        I understand the necessity for the DRM by Google -- without it their library of content will be severely limited; however, do not paint the actions of everyone attemting to circumvent the DRM.
        • No, I understand that you have the right to quote copyrighted works. This doesn't fall under fair use AFAIK, but still it is your right.

          However, for years people have had to write things down and now that we have computers don't act like you can't do so. Not to mention the fact that you can just "tile" the windows and transcribe the content into your favorite text editor.

          I run a website and I would love to cut and paste portions of lots of books. Would be great elsewhere too, especially when fighting with
    • Hmmm (Score:5, Insightful)

      by Auckerman (223266) on Friday October 08, 2004 @12:40PM (#10470933)
      You are adding to the fire by allowing them to change the definition of copyright. Copyright gives holder no right to determine how one USES content, it merely gives them a monolopy right over copying the content for distributation. There are some copyright limitations on use, such as public displaying and the like, but fair use clearly says once you give ME a copy of your work, I can do anything I damn well chose to it.

      It already gave me a copy of the work for free, if I chose to burn it, make a hat out of it, or print it out, it's my business.
    • by Kaa (21510) on Friday October 08, 2004 @01:00PM (#10471212) Homepage
      Whilst I'm all for breaking DRM that hinders the rights you have to use your content in the way you want - this just looks like breaking DRM to get stuff for free.

      Which DRM? I have no DRM installed on my machine. I have agreed to no contracts or EULAs with regard to DRM.

      Google sends me some copyrighted information. The copyright law limits what I can do with it (e.g. I cannot republish), but for my own private use I can do pretty much anything I want with it.

      That image already exists as a file (or part of a file) on my machine. What Google is doing is trying to prevent me from looking at it in non-approved ways. Well, it can try, but I have no legal or ethical obligations to follow its wishes. If I want to take that image, load it into Photoshop and play with it there, I am completely within my rights.

      So, no, I don't see any problems (either legal or ethical) with breaking this pseudo-DRM -- and I am willing to bet it will be breakable very easily -- and using these images however I want within the limits set by the copyright law.
  • by iammrjvo (597745) on Friday October 08, 2004 @12:30PM (#10470782) Homepage Journal

    Information, by its very nature, is copyable. DRM schemes may stop a casual user from copying information, but it is theoretically impossible to make an invincible DRM system like this due to the very nature of information.

    That having been said, Google is smart enough to know this. They have to put what they can in place in order to convince publishers to agree to their system.
    • by hype7 (239530) <u3295110@@@anu...edu...au> on Friday October 08, 2004 @12:37PM (#10470880) Journal
      this is a damn good point.

      I copied this from a post I saw earlier on slashdot - I have lost the link but still have the text.


      That's why they need the dumb-ass DMCA, because it's impossible to make secure DRM. DRM is not and can never be cryptographically secure because it is not actually a cryptography problem. Cyrpography is about keeping secrets away from unauthorized people. That's fairly easy. DRM is about GRANTING people authorized access and GIVING them the key and then attempting to keep what you've given to them a secret from them.

      DRM is a schizophrenic and fundamentally impossible task.

      All they can do is the key obscurely inside the player and hope that no one makes the effort to look at it.


      It was written about SACDs, but it applies just as equally to stopping people copying text. In the long run, DRM won't work. It's just a serious pain in the ass, especially for legitimate users (how can you get fair use if the damn copy/paste functionality is disabled?)

      -- james
  • by nagora (177841) on Friday October 08, 2004 @12:30PM (#10470784)
    Works for me on Opera 7.54. DUH!

    TWW

  • So? (Score:5, Interesting)

    by lxs (131946) on Friday October 08, 2004 @12:30PM (#10470788)
    Messing with our browsers and DRM

    Does this mean that Google is now officially an Evil Company(TM)?
  • by Doc Ruby (173196) on Friday October 08, 2004 @12:30PM (#10470793) Homepage Journal
    We're entering an age where all data is passed as objects. OS'es won't have common facilities to save data, merely to access the storage HW. Objects might or might not have facilities to save themselves, depending on their producer. PCs are probably a lost cause, but once phones submerge in the viruspam tide, their OS'es will prove the perfect platform for "trusted computing". Software distributors will control your gizmos, and you won't even be able to turn them off.
  • Article Text (Score:5, Informative)

    by Anonymous Coward on Friday October 08, 2004 @12:31PM (#10470798)
    Google DRM

    To further protect your book content, printing and image copying functions are disabled on all Google Print content pages.

    Similarly:

    We've put a number of measures in place to prevent the downloading, copying, or printing of your content [...] Pages displaying your content have print, cut, copy, and save functionality disabled in order to protect your content.

    I'm surprised at how much effort Google went to here. I would have expected my browser not to be vulnerable to having any of its "functionality disabled", yet, with a recent Firefox, I found that I couldn't

    1. print the page to a PostScript file,
    2. right-click on the page at all,
    3. save the page to disk (the image would somehow not be downloaded at all),
    4. view the precious image in Page Info/Media (although I could see which image it was),
    5. save the precious image in Page Info/Media,
    6. find the precious image in the DOM Inspector (which seemed like the really heavy artillery), although the DOM Inspector did let me see its URL as part of an uninterpreted style definition, and seem to reveal the trick: defining a style called ".theimg", with the definition

    { background-image:url("http://print.google.com/long url with cryptographic signature"); background-repeat:no-repeat; background-position:center left; background-color:white; }

    and then invoking that style inside a
    tag:



    So I tried turning off JavaScript, and I found that I was essentially no better off: right-clicking caused a copy of cleardot.gif, not the .theimg background, to be saved to disk. For some reason, Save Page As.../Web Page (complete) still declined to download the background image at all, even in the absence of JavaScript, as if perhaps the CSS parser in the display logic in Firefox is smarter than the CSS parser in the Save Page As... code.

    The two ways I've found so far that work to capture images from Google Print are a screen capture (I used xwd, which of course worked perfectly) and looking in the on-disk cache (ls -lrt .mozilla/firefox/default.*/Cache/[0-9A-F]*). I'm still puzzled about why Page Info and the DOM Inspector won't actually reveal the image referenced in the .theimg style or allow it to be saved.

    If you wanted to write a proxy that would make Google Print pages capable of being saved to disk, you would presumably want to match

    background-image:url("http://print.google.com/\( [^ "]+\)")

    (although you'd need to be careful to match only the one in the definition of ".theimg", because it looks like there may at least one other background-image:url) and then replace



    I haven't tried this because it felt like too much work relative to the previous two methods.

    Contrary to what I expected, Google Print does not seem to check referer, so it seems to be possible merely to extract the URL from the definition of .theimg, and then to load it directly. Perhaps that will change in the future.

    Google must have hired some experts on html image protection or html obfuscation. To be sure, there are lots of other tricks in Google Print that I had never seen before. It is hard to think that the author of that HTML obfuscation was not the subject of Richard Stallman's accidental haiku. It is amusing to think that Mr. Bad's "other" DeCSS might at last be used for some kind of circumvention (although I doubt it, because presumably Google Print simply won't work at all with the CSS removed).
    • by dmeranda (120061) on Friday October 08, 2004 @01:01PM (#10471235) Homepage
      What's next, banning cell phone cameras in book stores, or libraries?

      This sort of HTML onfuscation abuse is just the beginning. This is a general problem with any sufficiently rich presentation language. There are hundreds of different ways to obfuscate things.

      Just wait until MS finally decides to properly support PNG alpha transparency! Combine this with CSS absolute positioning, and you'll start seeing images which are composited from many different layers of semi-translucent images; each of which is just noise of it's own. You also have already seen for a long time the cutting up of images into many small pieces.

      This could be taken to an extreme as well. With absolute positioning you could also do this with text as well as images. Just position each letter on the page separately and randomize the order in which they appear in the HTML stream. Or even worse, use a custom downloaded font, where the glyphs are all randomized, so although it may look like an "A", it's really in the slot for a "Q"...try to cut and paste that.

      Consider the PDF format as an extreme of where XHTML+CSS+DHTML+PNG can go wrt. obfuscation. Sure, the determined and savy can always get the text copied out; but that doesn't mean its not going to be very difficult.

      Maybe we should all go back to ASCII and lynx.
  • Explanation Provided (Score:5, Informative)

    by Gerv (15179) <gerv@@@gerv...net> on Friday October 08, 2004 @12:32PM (#10470819) Homepage
    A full exploration of the html obfuscation and DRM employed by Google would be very interesting

    I've been looking at this - there's a blog post [mozillazine.org] with some preliminary discussions, and a follow-up [mozillazine.org] giving some ways of getting around it. The short answer is that if you just want to save the image to disk, it's not too hard in a decent browser [mozilla.org].

    Gerv
  • by Buran (150348) on Friday October 08, 2004 @12:33PM (#10470825)
    Where can we see a sample of this to test whether it actually does these disabling things?

    I do agree that this is a security problem. We already have options in some browsers (I use Firefox, for example) to block sites from changing status bar text, changing images, etc. And there was no fuss about that. I think disabling such basic functions as copy, paste, print falls in the same "no-no" category as changing statusbar text, changing images, etc.

    A site presents a page in a certain way, but I as the user get to select how I view it, with what functions I want to view it, which parts of the site I want active and which ones I don't. You can't force me to accept what I don't want to accept. If I set my software to ignore part of your site, that's my choice, not yours.

    You don't go disabling functions in users' browsers. You let them do that themselves. Conversely, you don't enable stuff the user didn't enable themselves.

    Isn't it now about to be illegal to go changing peoples' browser settings via the use of spyware? Doesn't this come awfully close to doing the same thing? If it changes how my software behaves, it's awfully close to being malware.
    • by gregarican (694358) on Friday October 08, 2004 @12:48PM (#10471063) Homepage
      Here is an excerpt from a Mozilla blog regarding this. The parent URL of the print.google.com example is http://print.google.com/print?id=ULQSG0Zs7vcC&lpg= 3&pg=0_1&sig=O0-GVU5AdfrMmUtu0N5mNM7sUCg.

      Next idea: use the DOM Inspector to inspect the entire browser XUL. This means that the context menu will still work. It's more difficult to do, because you can't locate elements by clicking in the content area - it only works for the chrome. Still, we finally track down the clear GIF and delete it. Boom! This time Firefox crashes (taking with it an earlier version of this blog post.) :-(

      OK, let's try another approach. Let's find the surrounding
      in the DOM Inspector, look at its computed style, and copy the URL out of it. Except that the Computed Style view doesn't support copying. Undeterred, and feeling close to the goal, we view the applied styles for the
      and try and copy the URL out of the individual background style rule.

      Success! This works. We can chop off the CSS gubbins, paste the result into a web browser URL bar, and finally get an image we can save.

      In fact, you can also get the URL of the page graphic by viewing the source. It turns out that it's not as hard as I made out, because currently, the
      in question has a sensible class name: .theimg { background-image:url("http://print.google.com/prin t?id=ULQSG0Zs7vcC&pg=3&img=1&sig=gv2nFptEf0dj7Gzb8 eZ4U8UdtUo") }
      so it's easy to find.
  • by openSoar (89599) on Friday October 08, 2004 @12:34PM (#10470844)
    Why are the pages even protected by any kind of DRM in the first place? AFAIK, They don't let you view the whole book - just a few selected pages - isn't this just the same as the track clips you can listen too (and save if you wish) at most of the music stores?
  • by glob (23034) on Friday October 08, 2004 @12:35PM (#10470851) Homepage Journal
    gerv, a mozilla developer, has a few blog entries that talk about how the print service tries to stop you from getting to the jpeg's, and how to bypass that.

    Google Print, And Clue Barriers [mozillazine.org]
    Google Print Hacking Ideas [mozillazine.org]
  • by OverlordQ (264228) * on Friday October 08, 2004 @12:35PM (#10470854) Journal
    Last comment on Bug 226572 - Google branded Mozilla browser [mozilla.org] was:
    This is a duplicate of a private bug about working with Google. So closing this one.


    *** This bug has been marked as a duplicate of 213362 ***


    Now they're both [mozilla.org] mysteriously restricted to general viewing.
  • by ShatteredDream (636520) on Friday October 08, 2004 @12:35PM (#10470856) Homepage
    They're preventing people from walking off with free books. If Google doesn't do that, then they cannot offer this service. Sometimes it is better to accept a little inconvenience. There is nothing stopping you from retyping an entire small passage if you want to quote it.
  • by Space cowboy (13680) * on Friday October 08, 2004 @12:36PM (#10470865) Journal
    ... another can undo.

    It seems rather futile to try and restrict what people can do with images on the net. Given that fundamentally it's an open easily-parsed format, and wget is your friend, it ought to be relatively easy to write a harvester, if anyone could be bothered.

    And there's the rub. Unless Google publishers are suffciently stupid (I've not seen much evidence of online stupidity in book publishers to date...) to put significant excepts from the book online, who'd care if you could download the images ?

    At the end of the day, the best protection is to make sure that the good information is kept in the book, and the online imagery gives an indication of what you get when you pay for the book. This all presupposes the book is worth buying, of course, and perhaps that's the market they're trying to protect...

    I guess this will protect against casual copying by the clueless, and that's probably all they're trying to do, but Google is every tech's favourite lovechild (brought about by those clever marketing peeps, which, er, aren''t most tech's favourite people. Well, moving swiftly on...). So Google are popular, and they do something that those tech peeps will react to (DRM), and quick as a flash there are workarounds. Hell, I expect a firefox plugin by tomorrow! A waste of time, perhaps ? Or just another example where the clueful (Mozilla users) have the advantage over the clueless (IE users :-)

    Simon.

  • by hartba (715804) on Friday October 08, 2004 @12:36PM (#10470866)
    Just put your monitor on a copy machine!
  • by slagdogg (549983) on Friday October 08, 2004 @12:36PM (#10470868)
    Change the line:

    "Pages displaying your content have print, cut, copy, and save functionality disabled in order to protect your content."

    to:

    "Pages displaying your content have print, cut, copy, and save functionality disabled in order to protect your content from most users."

    It's magic.
  • by FooAtWFU (699187) on Friday October 08, 2004 @12:39PM (#10470911) Homepage
    Bookmark javascript:void(document.oncontextmenu=null) [about.com] . Instant right-click enabler.

    It's not tough "DRM"... my university's local online student newspaper equivalent [wfu.edu] effectively does the same thing.

  • by RealAlaskan (576404) on Friday October 08, 2004 @12:39PM (#10470915) Homepage Journal
    Google has to do this, but they don't have to make it work.

    They have to show the suits at the publishing houses that they are being responsible, safeguarding the suits' ``intellectual property''. It doesn't really matter whether it actually works, just as it doesn't really matter if the features in the checklist on the box of software work. It's a tool for the salesman to use.

    If this feature exists but really doesn't work, then the suits get the illusion that their ``intellectual property'' is protected, and they get free advertising of the try-before-you-buy variety. For this best of all possible worlds scenario, it has to work well enough to fool the suits, but not well enough to stop the rest of us.

    Sounds to me as if Google has gotten it to work just about well enough to do a good job for all concerned: Google, us readers, and even the suits.

    • Unfortunately it fails accessibility rather badly. Since Google has an EU office I guess that means any DMCA threats can be met with counter accessibility law threats. Plus I guess google just blew its ability to do deals with US government 8)
  • by AmigaAvenger (210519) on Friday October 08, 2004 @12:41PM (#10470948) Journal
    Guess I just broke it...

    First, turn off javascript. then turn on image dimensions. right click on the dimensions for the main image, and click view background image.

    http://print.google.com/print?id=ULQSG0Zs7vcC&pg=3 &img=1&q=mastering+digital+photography&sig=gv2nFpt Ef0dj7Gzb8eZ4U8UdtUo [google.com]

    is the URL that is used, and surprisingly it is linkable from outside, it doesn't appear to check IP's, browsers, or anything else. (deep link away!)

    • by spectrum (92555) on Friday October 08, 2004 @01:10PM (#10471358) Homepage
      Perhaps I'm doing something wrong, but by default I surf with:

      - Firefox 0.9.3
      - Javascript on, but all the little check boxes off
      - Not allowing any site to override my css
      - Images from originating website only

      I cannot even see any evidence of DRM, i can print, copy, paste, etc..

      Perhaps I'm doing something wrong. ?

  • by Megor1 (621918) on Friday October 08, 2004 @12:42PM (#10470970) Homepage
    http://print.google.com/print/doc?articleid=x4H9Tl RQew7 [google.com]

    I can copy text in both IE and Firefox...

  • Gerv did it (Score:5, Informative)

    by SimplexO (537908) on Friday October 08, 2004 @12:44PM (#10470998) Homepage
    Gerv [mozillazine.org], who works for mozilla [mozilla.org]/bugzilla [bugzilla.org], already went through this [mozillazine.org], and found several ways around google's hackery. He then went and summarized the multiple ways to do it [mozillazine.org] in good browsers [getfirefox.com].
  • wget is forbidden (Score:5, Interesting)

    by bartash (93498) on Friday October 08, 2004 @12:47PM (#10471041)
    $ wget long url from http://slashdot.org/comments.pl?sid=124900&cid=104 70948
    Resolving print.google.com... done.
    Connecting to print.google.com[64.233.161.118]:80... connected.
    HTTP request sent, awaiting response... 403 Forbidden
    09:44:53 ERROR 403: Forbidden.
  • Trivial security. (Score:5, Interesting)

    by E1ven (50485) * <[e1ven] [at] [e1ven.com]> on Friday October 08, 2004 @12:48PM (#10471054) Homepage
    It's not a vulnerability at all... Just obfuscation.
    The image is set to be a background image, using CSS. Like a background on Table, or on a website, the page doesn't let you click on it, to directly alter it.

    But in the code itself, it's pretty obvious...

    An example, of the straight JPEG [google.com]

  • by DreamerFi (78710) <john@si[ ]ur.com ['nte' in gap]> on Friday October 08, 2004 @12:50PM (#10471089) Homepage
    1. Go to a google print page [google.com]

    2. Do a "View Source"

    3. search for this: ".theimg { background-image:url"

    4. copy the URL from that place, into a new browser.

    5. ???

    6. Profit!

    scripting this should be ludicrously easy.

  • by Jeremy Erwin (2054) on Friday October 08, 2004 @12:56PM (#10471168) Journal
    Although command P produced a page with a big white hole where the text was supposed to be, I used the "Activity Viewer" to discover that one of the components of the page was substantially larger than the others. I was able double click that particular URl, which opened in a new window, shorn of any nasty DRM.
    I am afraid, however, that Apple will face pressure to restrict this rather useful feature. At one time, it could be used to evade Quicktime silliness, but it seems the feature has since been disabled.

    (The transparent.gif overlay technique has previously been used by (ahem) vendors of photography, and (of all people) ebay sellers. It's not quite novel.)
  • by Exocet (3998) * on Friday October 08, 2004 @12:57PM (#10471174) Homepage Journal
    http://spiderzilla.mozdev.org/

    To reproduce:

    - Install the Spiderzilla XPI. I installed with Moz v0.7.3 on WinXP.
    - Visit google. I searched for "Mastering Digital Photography". The top result is a book.
    - Fire up Spiderzilla (Tools -> Download this site)
    - Use the defaults. I did.
    - Go into whatever you named your project, then go into the "print.google.com" folder. The big images are what you're looking for.
    - Use some OCR or something. :P

    Note: I actually like Google. I don't think they're evil, nor do I think they're bad/wrong/stupid.

    Well, maybe a little stupid - on this particular project. As many others have pointed out, google delivered content to your (my) screen. At that point, it's exceedingly difficult to prevent me from taking that content and running with it. Surely they expected this to happen and simply did the best they could to prevent it? I can't image they assumed their restrictive measures would defeat misuse attempts by anyone other than the most casual user of this service.
  • 502 Error (Score:3, Informative)

    by barcodez (580516) on Friday October 08, 2004 @12:57PM (#10471176)
    Is anyone else getting 502 error. Has Google really been /.ed. If so shame on them - Google seem to be losing the thread, first DRM and now system outages - all in one day :(
  • Google Print is down (Score:3, Interesting)

    by Ba3r (720309) on Friday October 08, 2004 @12:57PM (#10471181)
    Could it be that this wonderful headline has alerted google that they are probably breaking agreements with whoever they licensed the books from, and caused them to take down this feature??
  • by rpdillon (715137) on Friday October 08, 2004 @01:04PM (#10471262) Homepage
    This was always intended as a "feel good" feature of the Google print system so that pulishers would feel safer sending tons of books to Google.

    The "real" DRM here isn't DRM. As a previous post so astutely pointed out, DRM is schitzophrenic by nature: it involves trying to give someone something without *actually* giving it to them.

    Google's "real" protection is that the service won't let you view more than a certain percentage of the book in any given month. That percentage is determined by the book's publisher at submssion time, anywhere from 20% to 100%.

    Even if you can copy/paste/print, you're still only going to get a portion of the book - certainly not enough to replace a valid sale. Disabling that functionailty basically returns us to the age of photocopying a few pages of a book/article in a library. Except now we can search, so it's faster.

    If one solution is as simple as "grab th data from your browser's cache" this is clearly meant to only stop the "average" user, something that is in very short supply here on /. But it's good enough for Google to run the business, most likely.

    Here's to hoping this headline appearing on /. isn't going to spread enough FUD to publishers that would have otherwise sent in their material. Google print is still in its infancy, and could fail if Google doesn't assert some spin control on the situation, I suppose. Maybe I overestimate /.'s influence.

  • by alphakappa (687189) on Friday October 08, 2004 @01:25PM (#10471575) Homepage
    1. This is not *your* content.

    Let's say that you buy a song/movie and it has DRM which restricts the way you use it - you would be justified in removing the DRM to use it in your own way (provided that you engage in 'fair' use). The content that Google displays in its book search results are *NOT* your media. You do not own it, you have not paid for it and Google is providing it to you as a courtesy. To provide it, they have to ensure that you do not make copies of it since even Google does not own the media to be able to give it away to you. Nothing wrong in restricting your options here.

    2. OMG they have control over the browser!

    Yes they do not ask you before disabling your browser options. But this does not install a trojan, or do anything permanent with your computer like other sites do. If you do not like the fact that your options have been reduced on that page, all you have to do is hit the back button and scram. (It's like complaining that a particular room in someone else's house is too hot - if you don't like it, get outta there!)

    3. The DRM can be disabled.

    Sure, it can. If one man can enable it, another man can disable it. The point, as has been noted in several places, on several occassions is that the average person cannot disable it. And no, you cannot automate the process to get complete books since the guys sitting at Google are not stupid and they will have measures built in to prevent automated downloading of entire books (through whatever strategies - searching repeatedly etc)

    And yes, I have to mention this : Google has shown me how to push the limits of HTML and scripting - First with Gmail and now with Google Print - they are doing stuff that looks like pure art to the programmer within me. Hurray for ingenuity!
  • Oh, heavens, yes! (Score:3, Insightful)

    by csimicah (592121) on Friday October 08, 2004 @01:39PM (#10471795)
    I can't imagine a bigger security vulnerability than an inability to copy/paste someone else's graphic! Dear God, whatever will we do!

    Jesus, people, do we have to break everything just for the sake of breaking it? And do we have to bring in the melodrama? As someone mentioned above, the only reason Google *can* offer this is because of the DRM. Why do we have to immediately set to destroying every new toy we get with a hammer?

    At some point all information will be digital, and if we don't ever let people have a way to make money from creating content, they'll STOP CREATING THE CONTENT. And then I guess we'll have gotten our way, huh?
  • by Otto (17870) on Friday October 08, 2004 @02:50PM (#10472772) Homepage Journal
    IE. Default settings. No proxy, no modifications. Nothing particularly special about it.

    -Load up the book in the browser.
    -Click the View menu, select Source.
    -Search for "div class=browse"
    -Immediately before that, you'll find something like this in a CSS style:
    { background-image:url(http://print.google.com/print ?blablahblah");bunch of other stuff;}
    -Take that URL, copy and paste it into a new browser window and voila, you have the full size image. Save As or Print on this image works fine. No problems at all.

    Seriously, this is trivial to break.

    What's not trivial is getting an entire book. How to figure out how to get every page is the tough part. Getting the image itself is a cakewalk. It's just Javascript tricks to break right-clicking and CSS tricks to break direct printing from that window. Saving gets broken because of the tricky CSS using the IMG as a background image. The browser doesn't think to save the image, is all.
  • by almaw (444279) on Friday October 08, 2004 @02:50PM (#10472780) Homepage
    There is no fancy copy protection. There certainly isn't some flaw in Mozilla.

    It's simple - the image is done as the background image for an HTML element. There's nothing to stop you linking directly to the content: sample image [google.com], for example.

    You can't right click on it because it's a background graphic. But you sure as hell could write a robot script that went and downloaded pages.

    If they're clever, they'll watermark each image as it is served, so they can tell who's copying what (well, down to the originating IP, anyway).
  • by Jugalator (259273) on Friday October 08, 2004 @04:28PM (#10473952) Journal
    1. Install Adblock. You should have it for other reasons anyway. :-)
    2. Add this URL to its block list:
    http://print.google.com/images/cleardot.gif
    3. Disable "collapse blocked elements" in Adblock while browsing Google Print.
    4. Pick "View Background Image", then "Save Image As..."

    I guess someone will come up with a Firefox extension in no time that will just add a context menu option called "Save Background Image as..."

Mathemeticians stand on each other's shoulders while computer scientists stand on each other's toes. -- Richard Hamming

Working...