Re: Controlling Copy/Paste/Print 2004-11-15 - By Robert Hanson
The only way I know to completely secure content is to encode it in a
proprietary, undocumented format; provide a reader program for each OS you
want to target. Make you decode algorithm very difficult to understand so
it can't be reverse engineered.
If you're delivering content over the web, the primary issue is that to get
it into someones hands, you actually have to deliver it to their computer.
Once you have done that, they can basically do whatever they want.
Here are the issues I think you need to deal with:
1) The web server determines if the user has permission to access the
content.
2) Once the content is delivered to the user's computer, he can do whatever
he wants with it.
Your goal should be:
1) Design your web interface so that content access rules are built in.
Discussion: how do you identify a user? There are several characteristics
that canbe used:
1) IP address. This won't work for people behind firewalls, proxies, etc.
For example, many many people use AOL. From one request to the next, their
IP address changes depending on which proxy they go through. And, I could
go from one computer to the next; or unplug my cable modem....
B) Cookies. But a user can erase cookies, giving him new access to the
resource
C) Authentication (login) Really the only way to conclusively identify a
person as being who they say they are (at lease, without biometrics; I
doubt your content needs to be that secure)
Discussion: How do you track accesses and count them? That part should be
easier, I think.
2) Protect the content once the user is allowed access.
Discussion:
The problem here is that, for the content to be accessable to the user, it
must be transmitted to the user. Once the data is downloaded, the user can
do lots of things with it. Consider a generic "browser" (by this I mean
anything that accesses internet content, like IE, realplayer, edonkey,
etc). Certainly the browser can display the data; and it might provide
other capabilies.
For example, IE allows you to save an entire web page, including graphics.
You can disable the right-mouse button, and maybe even the "File-save"
button, but that is not a surefire way to go. Firefox has an extension
that re-enables the right-click button if it is disabled. And, someone
could use a "screen scraper" program or web spider program to download your
page, without using a browser.
Another example: Realplayer does -not- let you save a streaming media
playback to your computer (at least, I haven't found it yet). So a
streaming media presentation is "safe" if Realplayer is used to present it.
But, a clever person could write a Realplayer substitute that captures and
stores the streaming media presentation; and there is nothing you can do
about it.
If it really is straight text that you're trying to protect. you might
have to encode it like an ebook. I think the "player" for ebooks has
rights protection built into it (copying and viewing protections).
"Keith Barrows (StarPilot)" <starpilot@(protected)> on 11/15/2004 11:33:03 AM
Please respond to aspnet-architecture@(protected)
To: aspnet-architecture@(protected)
cc:
Subject: [aspnet-architecture] RE: Controlling Copy/Paste/Print
Strike PDF out of the equation folks.
How do I handle Digital Rights Management of text in the following
browsers:
* Internet Explorer 5.5+ (5.1+ on the Mac)
* Netscape 6.2+
* Mozilla 1.1+
* Opera 7+
* Safari 1.2+
It needs to only allow X number of copies at a max # of characters per
copy.
- Keith
-----Original Message-----
From: Pamela Reinskou [mailto:pam.webpyrfect@(protected)]
Sent: Monday, November 15, 2004 2:34 AM
To: aspnet-architecture@(protected)
Subject: [aspnet-architecture] RE: Controlling Copy/Paste/Print
I saw the recommendation and it doesn't appear to handle public documents
any better than the built in PDF permissions. I still contend that the
frameset may be the central issue because displayed in a less than full
browser window the PDF will not resize itself correctly. That seems to be
what is driving them to look for an alternate solution; but I doubt they
will find one that:
1. Can handle public documents.
2. Doesn't use image (Tiff) format.
3. Doesn't use role based security.
4. Does the math properly to display in a split screen view (frameset).
IMHO I believe the presentation layer is the problem and that is what needs
to be resolved before anyone looks at alternate page handlers.
I say this because I have a similar problem and while everything works as
advertised when the content is all PDF it does not work correctly when the
content is mixed. I find that I have to alter the same type of frameset
that the Gary has so that that it can handle PDF output correctly. So by
using the built in PDF settings I have reduced my work load down to just
figuring out if a document is in .PDF format and redirecting it to the
correct page viewer.
Pamela Reinskou
-----Original Message-----
From: Philip Nelson [mailto:panmanphil@(protected)]
Sent: Saturday, November 13, 2004 2:05 PM
To: aspnet-architecture@(protected)
Subject: [aspnet-architecture] RE: Controlling Copy/Paste/Print
Not if they don't use Acrobat reader to view the pdf ;-)
When I referred to security vs inconvienience, that what I meant. The adobe
products will make it conconvienient for the average user to cut and paste.
But since you can just download the pdf with another tool, and view with
with another tool, you can't really prevent people from seeing the bytes in
the document that way.
Make sense?
--- "Keith Barrows (StarPilot)" <starpilot@(protected)> wrote:
> But does it allow a rules based control of copy/paste? Everything
> else seems right about this product. However, the end user is allowed
> a limited copy/paste per document - controlled by server side settings
> for each individual.
>
> - Keith
>
> -----Original Message-----
> From: Philip Nelson [mailto:panmanphil@(protected)]
> Sent: Saturday, November 13, 2004 10:11 AM
> To: aspnet-architecture@(protected)
> Subject: [aspnet-architecture] RE: Controlling Copy/Paste/Print
>
>
> --- Pamela Reinskou <pam.webpyrfect@(protected)> wrote:
>
> > I understand your problem with PDF it really needs to be in a new
> > instance of the browser. However this may be your problem all around.
> > Basically unless you open a new window you have no control over it, so
> > all the code in the world will not prevent the die hard from stealing
> > if that is what they are after.
>
> Just cut me off if everybody already gets this ;-)
>
> If a pdf can be viewed in *any* browser window, it can be downloaded
> with another tool that completely circumvents your browser based
> methods to prevent save, cut and paste. If the bytes can get to any
> process the user chooses, the user can do whatever they want with
> them, period. curl or wget are really simple download tools. Gview can
> display pdfs. So if you want to actually secure this content, you will
> need to control the client side code that displays it.
>
> The tool I mentioned last worked something like this from what I could
> tell.
>
> client opens page.
> activex object is loaded or user is directed to download page, the
> usual drill the activex object opened a secured connection to the site
> to list content user chooses a document to view the activex object
> opened a secure connection to download the document bytes the activex
> object opened the application that displayed the bytes to show me the
> document.
>
> Here is where the proprietary part came in. Whether word, excel or
> pdf, I couldn't save the document, nor browse to the location the
> application thought the temporary file was located. The document never
> "existed" in the sense that it would with a browser that would have
> copied to a temp location before viewing. pretty cool really.
>
> =====
> Philip - http://blogs.xcskiwinn.org/panmanphil
> "There's a difference between righteous anger and just being crabby" -
> Barbara
>
> Need SQL Advice? http://sqladvice.com
> Need RegEx Advice? http://regexadvice.com Need XML Advice?
> http://xmladvice.com
>
>
> Need SQL Advice? http://sqladvice.com
> Need RegEx Advice? http://regexadvice.com
> Need XML Advice? http://xmladvice.com
>
=====
Philip - http://blogs.xcskiwinn.org/panmanphil
"There's a difference between righteous anger and just being crabby" -
Barbara
Need SQL Advice? http://sqladvice.com
Need RegEx Advice? http://regexadvice.com
Need XML Advice? http://xmladvice.com
Need SQL Advice? http://sqladvice.com
Need RegEx Advice? http://regexadvice.com
Need XML Advice? http://xmladvice.com
Need SQL Advice? http://sqladvice.com
Need RegEx Advice? http://regexadvice.com
Need XML Advice? http://xmladvice.com
Need SQL Advice? http://sqladvice.com
Need RegEx Advice? http://regexadvice.com
Need XML Advice? http://xmladvice.com
|
|
