Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
The Internet

eBook Security? 23

Chaswell asks: "I just received an email from one of the executives. Of course I really can't say who or where, but he wants to know how we can protect our ebooks from 'crooks'. The publishers that are contracting with us to publish their books in digital format are concerned because they feel that we do not protect the material 'enough'. One of the publishers noticed that if they told their browser to save every page in an online text, low and behold they now had a copy. In early design conversations, I always pushed for not spending time on encryption and watermarking, but just leaving it open. I wanted the utilities and add-ons to be enough that a 'stolen' copy would be of much less value then the original. The argument was that it was not only of lesser value but also the same risk as having a copier in a library. Well this thought seemed to have been enough until this morning. After watching the current court battles, I feel this would be a great waste of devel resources to even attempt to secure the ebooks. So I have couple of questions I could really use Slashdot's input on." Read on for an excerpt of the email that sparked the question and the questions themselves.

"Here is an excerpt of the email message that started this train of thought:

'...think the issue comes down to the industry (Publishing, Digital Book Providers) creating a monitoring body to pursue such postings of "stolen" content...The only other thing I can think of is digital watermarking, which will identify the account through which the book was stolen. Again, it can't prevent dissemination, but does make it easier to track down the infringing party.'

And after thinking on this a bit, I have the following questions:

  • Is there a legitimate way to secure the texts to prevent dissemination but still not require a plugin or proprietary browser (we want everyone to be able to read even on the cheapest of library terminals)?
  • Does anyone have a solid argument for why encryption/protection will not be necessary?"
This discussion has been archived. No new comments can be posted.

eBook Security?

Comments Filter:
  • Even if you send each page as a jpeg(so as to steg in a watermark)
    Can this be done with JPEGs? Is there any point, if you have to turn down the compression to retain the steg info?
  • I thought it was "Steganography", but Google turns up loads of hits for each (but about twice as many for steganopgraphy as for stenography).
  • could be. I'm not the hottest speller.
    ---
  • One can put steg in to just about anything. I would think that you wouldn't be putting a very large watermark, just an ID# or something.

    However, perhaps I just should have said "generic image file", but I'm lazy:}
  • Of course, PNG or GIF would be better than JPEG, but this seems like a kind of crude way to do it -- there must be better ways.
  • first, when you "buy" a copy of the book online, the company gives you half of a key block, ala pgp. then you download the whole book in some crazy encrypted format. then, the company's program uses your personal key to decrypt the text, but then ==display it only as a jpg file to the screen== 1 page at a time. sure, you could copy and page 600 jpgs to disk and run OCR on them, but there are probably nice ways of making the ocr confusing. and who wants to do that?

    and since it's encrypted to your specific key, tracking would be easy.

    the filesize would be small, only zipped & encrypted text, so you could download portably if you wanted. or even make it only work when you are online.

    also, what about steganographically hiding a key in a text? i think with about 50 typos or extra spaces riddled throughout a book it would be hard to clean them all, and you could track distribution.

    just some methods to think about.

    /m

  • Actually our goal is to make it as easy as possible to access the books from any computer anywhere. Which in my opinion really contradicts the idea of then trying to control the distribution of the content. I guess the real problem is that we sold the publishers on the idea of "anywhere, anytime, KISS," but now they want all that and a bag of security tricks.

    In order to achive our goal, we display the pages of the book in plain HTML.

    - chaswell

  • I suspect he's not talking about an HTML/web version. I pretty sure he's talking about an electronic-book-specific format like Adobe's eBook [adobe.com] or some other. I bet the "browser" he was referring to was not a web browser, but an "ebook browser".

    The general "if it is on my computer I can copy it" argument still stands in this case. But your HTML-specific methods fail to apply.

  • The fact is there will always be a way to work around copy-protection always

    There will always be talented geeks using there knowledge to get something free and i don`t know if you know,but there is a big thrill in cyberstealing,the harder the greater the thrill

    As for me and others like me,whenever i steal something copy-righted i am glad that i do what i can to wreck the western economy.

    The only way to fight piracy is if all countrieys would be developped and thus would pass laws against this and really control it.

    the fact is Thailand brazil and other nations have no reasen to protect copyrights,because if their economy uses pirated software it only has a bad effect on the US and other developped nations and it would cost the company`s more money to buy original software.

    Just take my country(Suriname) for an example. I can just mass produce pirated software and no law could stop me.Everyday we see commercials for pirated software and the pirated versions are available months before original and nowadays you have to search high and low for original software,since nobody buy`s it.

    Even hardware stolen in the US can be bought here in the slums with no risk.
  • I'm not sure exactly what sort of electronic publishing you're talking about here, but since you mention "telling your browser to save every page" and "identifying the account through which the book was stolen", I'll assume we're talking stuff on the web, but with registration and a login required to access it.

    In this case: no, I don't think there is any way to prevent dissemination without requiring a plugin or special browser. If it can be displayed on a normal browser, it can be saved via "File->Save As...", or cut'n'pasted from the browser to an editor.

    So that takes you to the issue of watermarking. A few ideas spring to mind here. Most naive idea - I guess the HTML is coming from a CGI or something, so put a comment in it with the username, date, IP address, etc. Obviously anyone can strip this out easily, but you might spring some naive thieves. More complex: encode this data into a string of some sort and use it in the code as an anchor or something (so an internal link in the page might be to "blah.html#Hg3sdFHsASIU", where the Hg3sdFHsASIU is a uuencoded user id/date/IP.

    If you're more interested in stopping copying rather than identifying the culprit, you can make life annoying. I wanted to save some books from the free library on www.informit.com - the fact that the pages were surrounded by sidebars, had all their internal links in absolute form rather than relative, and that all figures and diagrams were popped up by Javascript buttons (again with absolute paths) almost made this more trouble than it was worth. Being an enterprising soul, I whipped up some Perl to clean up the files, but most people wouldn't bother. (bonus irony point: the first book I was trying to rip off was a "teach yourself Perl" book - this taught me how to write the Perl script to clean up the saved HTML) ;-)

    Of, and of course, since this is Slashdot: no way lamer!!! information wants to be free!!! tell the publishers to get fscked !!

  • I suspect he's not talking about an HTML/web version.

    I thought not, at first, but it was his mention of people being able to access the stuff "even on the cheapest of library terminals" that made me think maybe he was after all?

    The general "if it is on my computer I can copy it" argument still stands in this case.

    Yep. And regardless of whether it's in HTML or some eBook format, if he's talking about people saving pages as text, then any watermarking is totally doomed. It's like the text equivalent of copying a watermarked audio track by plugging your audio out into a cassette recorder - loss of quality, but no watermark is going to get through.

  • Tell them that in order to 'secure' the content, you will eliminate the primary goal of being able to access it from any computer. On top of that, any encryption scheme that is not cumbersome for the user will end up being cracked, so your effort will be wasted. If they want to make money from these ebooks, create a subscription service.

    However, I do agree that there are times where you don't want the users to be saving information that they are viewing via the web. With Netscape 4.x, one can use javascript to turn off the ability to click on a page (to highlight for cut & paste, view source, etc.). I've used this trick along with an frame containing only an invisible <layer> tag that has a blank page as its source. Java script on another frame changes the source for the layer with the output of a CGI script that's been tagged as non cacheable. The user can see the content, but when they try to save it or print it from the menus, they get the original blank page. I'm not quite sure how to do a similiar sort of thing with IE or Mozilla. Of course, this only keeps the casual users from saving or printing out the pages. The 'crooks' would find a way around it.

  • Stenography refers to writing in shorthand. Steganography [jjtc.com] is about hiding messages. Oddly and perhaps appropriately, the latter word is not to be found in my big American Heritage Dictionary [amazon.com].
  • Does anyone know when writing changed from an art that artists wanted to share with as many people as possible to a business centered on restricting supply while using marketing tricks to increase demand and artificially maximise profit?

    --

  • There was a freely available King novel that B&N or someone were distributing. You had to download some Glassbook (or similar) reader and the reader handled the book download and kept it secure. However, the paranoid reader software was never able to form a connection through the company firewall and both myself and another interested staff member were unable to access the work. If it had just been a .PDF file we wouldn't have had any problems.

    Other Examples: Having to have the CD in the drive when playing a game means I can't enjoy the program on my Ultralight -- it doesn't have an internal CD drive. Having a registration code that involves a hardware hash means that if I have to replace or upgrade my device I lose the product unless I can re-contact the company (which may have gone out of business). Lose the stupid code wheel for a game and it's useless (Cycles, by Accolade).

    Copy protection and other complicated technologies reduce usability and devalue products. They should be avoided at all times. You don't know what I might want to do with your product -- if you restrict my ability to adapt it to my situation you may make it useless to me.

    --

  • Easiest argument against wasting your time with encryption. If I can see it, I can copy it. Even if you send each page as a jpeg(so as to steg in a watermark) I can always just print it out and OCR it back in. If you make some nifty plugin that just displays it, I can always hit PrntScrn. If nothing else, I can have another computer next to me and type it as I read it.

    Now, if one was to have to choose some way, I would personally chose the jpeg with a watermark so that A) you could track people dumb/lazy enough just to trade the images, and B) people are lazy and are least likely to take the time to OCR the images back into text.

    Basically, if you aren't doing your own hardware solution, it is just a waste of capital.(
  • take for example, http://www.askjesus.org, which provides a comical steganographic trick on the text of a web site.

    Why couldn't I take a stegan'd text from the publisher, run it through my own stegan engine (encrypting their encryption in a very readable format), then freely distribute the result? (aside from being illegal)

    Sure, the text might be strange, and if done poorly it'd be like hearing a joke told that you've heard before.
  • It's just not possible to do what you are trying to do. One of the fundamental principles of encryption is that you have to trust the person you are communicating with. There is no way for you to trust the people you are selling ebooks to. If I can read the book on my computer, I can decrypt it and do whatever I like with the text (although if I were to send it to someone else I'd probably be breaking copyright laws).

    Don't get me wrong, I'm not trying to discourage the use of electronic distribution - I'm just stating a fact. I hope that distributors will get past this paranoia and distribute electronically anyway, without any protection. Protection just gets in the way. People buy books today even though they can read them for free by borrowing them from the library.

    I might want to read the text using software other than that which it was designed for. I might want grep it (I might want to grep my entire collection of etexts.) I might want to perform statistical analysis on it or feed to artifical intelligence software which tries to understand it. I might want to read it years later when the encrypted etext reader has stopped working for one reason or another. All these things are more difficult if the text is encrypted.
  • I'm not a programmer, but I've been questioning the whole system with e-books for a while.

    I did work with Nokia before and they didn't want people to be able to save certain PDFs and things of their websites and though it enough to disable save in Acrobat Reader. Well, that worked, unless of course I happened to have the full Acrobat product.

    Basically, if I can get it on my machine, I can save it somehow, unless I'm required to have a net connection to read it (by some code missing until I connect). That's highly inconvenient.

  • Let us look at the options you have here.

    You can encrypt the content, only to be decrypted on the browser. This requires JavaScript, Java, or ActiveX. This will not work as you are then sending all secret information to the user's computer. This could be reverse-engineered easily enough.

    You can send the content in jpg, gif, or png format and stick a watermark in there. That does not prevent unauthorised copying but at least you could track down who copied it. Assuming that they don't leave a fake name...

    You could send the content via a Java or ActiveX component which adds watermarking and/or protection. No better than the above solution, of course.

    You could obfuscate the information, using tables, etc. such that saving the page produces almost useless information. This is, of course, useless because you could do screenshots or use a decent html-to-plaintext program.

    You could send all the content as part of an exe which could only be displayed by that exe. If you make that exe connect to the Internet to get a decryption key or 'permission' then you have a slightly better idea. Except of course that they could still take screenshots or reverse engineer the secrets.

    All of which do not fit your requirements. You state that you must run on even the cheapest of library terminals. That means that you must run text-only under lynx with no plug-ins and even no HTML tables and frames and stuff. Because, remember, there are a significant number of terminals running old versions of lynx in university libraries.

    That means you must send pure HTML free of fancy formatting. That means that you simply have no options to adequately protect the content, even options that are fundamentally flawed. You have no option but to send pure HTML, unprotected. You can neither digitally watermark nor encrypt the content.

    --

  • by einstein ( 10761 ) on Wednesday February 28, 2001 @04:27AM (#396184) Homepage Journal
    embed a stenographic watermark server side, that documents the IP, and time of access. then, if copies do surface, you know where they orginated from, all that could be done server side, without requiring anything special on the browser end.
    ---
  • Watermarking is STUPID and WILL FAIL in the marketplace. Why? Because it's an intrinsic threat to customers. "By the way, if we think you copied our stuff, we're going to sue you for infringement." Who the hell is going to be stupid enough to buy your product, when you're threatening to sue them?

    So okay, the only people who are going to buy your product are those who see a benefit from taking the risk that your watermarking system will succeed. In other words, your only customers will be people who PLAN to copy and plan to destroy your watermarking system.

    Oh great, so your only customers are going to be thieves. THAT is the nightmare scenario, but it's not one created by the market, it's one created by YOUR OWN EXECUTIVES.

    Sigh. Those who do not understand failures of technology are doomed to reinvent them.
    -russ
  • by scotpurl ( 28825 ) on Wednesday February 28, 2001 @06:05AM (#396186)
    Consider that before people were sneaking into movies, they were sneaking into sporting events and plays. I'll be they had gate crashers even in ancient Rome.

    The higher-ups need to take a look at the expense and hassle of an encryption technology, and what losses they reasonably expect if your product were presented in plain ASCII text. Reasonable losses is a concept lost on many MBAs. You base your estimates upon past losses, not upon imagined future losses. For example, one of the software publishing groups takes the number of PCs sold, the number of software titles sold, and since the number of PCs is greater, assumes that their software was installed on all those PCs (and were thus pirated). It never enters their minds that not every PC gets commercial software installed on it, or that PCs break, or that not every software title gets installed on every new PC.

    Fifty years ago, how did publishers deal with pirated works? Why won't those same techniques work now? (Don't give me that line about the new economy. People still buy things, and it's still illegal to pirate copyrighted works.) Why put yourself in the position of being the police force, including the added expense and hassle. If you're still making money, then you're OK. Turn the evidence over to the Feds, and let them handle it (and the expense).

    An easy way to prevent piracy? Make it cheap to be a member who can access eBooks, and provide the eBooks in a variety of formats (including ASCII). Provide a two year free membership for people who turn in other people that are distributing pirated works. Use tiered pricing, where the average person (who is a light reader), can get a title per month for their $20/year fee. For heavier readers, step the price up gently. For libraries and schools, offer a flat, unlimited download fee (like $500/year) but restrict them to one account and password assigned to someone on staff. Talk to the big porn web sites, and find out how they track and identify logins that are fake, or have been shared amongst several users. I'll bet there's a company out there right now that makes software that does access log profiling -- and it wouldn't be that different than the pattern monitoring that many credit card companies offer for tracking purchases.

    I think you can make money at $20/year. There's no printing costs, no distributing, no spoilage, no transportation, and no wasted copies. You can still charge vanity press or estimated low sales authors a fee for "sharing in the risk of publication."

    The simple truth is that you can't make your product popular and easy to use if there are any requirements for its use. The simple fact that it must be decoded so that it can be read means that every watermarking, steganographic, or encryption method will fail (and the DVD/HDTV folks are spending a lot of money trying to ignore this). Until you can inject your works directly into the brain of the consumer, I doubt that you can avoid piracy. (And even then, some pirate will likely figure out how to use the consumer's brain as the master copy for duplication.)

    Be a farmer. Accept that some of the crop is lost every year, and that you've got to make money on the good part of the crop.

    Heck, try my model for a year. If you don't make money, you will at least have a bug-free distribution system.

You see but you do not observe. Sir Arthur Conan Doyle, in "The Memoirs of Sherlock Holmes"

Working...