Non-WTF Solution to a WTF Problem (Web content protection)



  • An old friend of mine who's running a company wants to have a Web-based training software, and he has some nice software picked out to use. All's well, it's opensource php and he loves it and can administrate it (he isn't a poweruser). This software is only for his employees, a couple dozen construction workers.

    The problem is, he wants to have some kind of copy protection for the text and graphics. He understands that it will still be possible for any user of reasonable experience to get the pages, and he's fine with that. He just wants to protect it from people like himself.

    So my question is, does anybody know if there's a solution to this problem that won't require me to modify third-party php code? I'm thinking of something like a proxy that'll pass the requests to the back-end php while adding the proper Javascript or CSS code to every page, or something. Does anybody know if that's possible?

    Or maybe I'll talk to the guy from Right-click Revenue (haha!) 🙂
     



  • IMDB has a technique where they use CSS positioning to place a scaled 1x1 transparent gif over their photos so that right-clicking and doing a save-as saves the 1x1 gif.

    Of course this does nothing to stop knowledgeable users.

     

     



  • I was thinking of doing something like that over the full document, or something. That's enough for him to be happy, but it's also more work than I want to do (ie, none). Maybe I'll write my own proxy that automatically forwards requests and protects content. 🙂



  • Ooh... inspiration has struck....

    Create filtering proxy that converts all of the text into images of the text, and converts all of the images into html tables where each pixel in the image is a 1x1 cell of with the background color set to the appropriate color.

    Hehe... evil I know.

     

     



  • Haha, that would be awesome and evil. Converting text to images would be nice, it would fit in with his requirements better than anything else, but I don't think I'm willing to put that much effort into this. 🙂

    I'd have to run the full html page through an html parser, get it to dump everything to an image (probably a .jpeg, just for the crappy quality... fine, a png 🙂 ), then run the image through that php script I that somebody posted here to convert the image to a table.

    You know, funnily enough, that would probably be perfect. shiver twitch
     



  • @dsharp said:

    Ooh... inspiration has struck....

    Create filtering proxy that converts all of the text into images of the text, and converts all of the images into html tables where each pixel in the image is a 1x1 cell of with the background color set to the appropriate color.

    Hehe... evil I know.

    I think we still want to actually serve the text. 🙂



  • @dhromed said:

    @dsharp said:

    Ooh... inspiration has struck....

    Create filtering proxy that converts all of the text into images of the text, and converts all of the images into html tables where each pixel in the image is a 1x1 cell of with the background color set to the appropriate color.

    Hehe... evil I know.

    I think we still want to actually serve the text. 🙂

    If the layout of the various pages is fairly constant, you could serve up everything as a Flash applet. There's decompilers which can extract everything, of course, bu tlike you said, you're not looking for bulletproof security. just security-by-bandaid.
     



  • Sadly, it's somewhat dynamic, and will potentially include content like videos and forms. 😞



  • I was thinking of doing something like that over the full document, or something.

    That won't work anyway, because then they won't be able to actually click on anything at all, including things people will want to click on such as hyperlinks.

    Honestly, with such "low" requirements I'd just swallow right-click events using Javascript and be done with it.  That's going to weed out the most inept of users, and that seems to be all he's asking for. 



  • @Nozz said:

    I was thinking of doing something like that over the full document, or something.

    That won't work anyway, because then they won't be able to actually click on anything at all, including things people will want to click on such as hyperlinks.

    Honestly, with such "low" requirements I'd just swallow right-click events using Javascript and be done with it.  That's going to weed out the most inept of users, and that seems to be all he's asking for. 

    Yeah, true enough. But going one step further and replacing every character with an image might work, too. I'll have to give that a try and see if it actually looks reasonable.  



  • @rbowes said:

    So my question is, does anybody know if there's a solution to this problem that won't require me to modify third-party php code? I'm thinking of something like a proxy that'll pass the requests to the back-end php while adding the proper Javascript or CSS code to every page, or something. Does anybody know if that's possible?

    Technically, there's just no solution for this since you can't prevent the real dumb-arses to just type over the text or using printscreen to get the image. And the more advanced ones will have their own neat tricks to get the page contents. (Which might include something simple as saving the page to a file.) Even if they have to use OCR software to get it. You'd be spending lots of time to work on a system that would just require your visitors to become more intelligent into getting the information from your site. Once your text and images are inside the browser, they're under their control.

    So maybe make an ActiveX form which you put on your site and display it's context inside this control. A Flash or Java control would be just as effective too. Your target of control is the browser, and you must avoid having any copyrighted stuff in the browser itself. Put it somewhere, where you have more control. 



  • @rbowes said:

    So my question is, does anybody know if there's a solution to this problem that won't require me to modify third-party php code? I'm thinking of something like a proxy that'll pass the requests to the back-end php while adding the proper Javascript or CSS code to every page, or something. Does anybody know if that's possible?
     

    Ya know, the 'auto_append_file" and "auto_prepend_file" config parameters in PHP might come in handy. If all you're looking to do is embed some dinky right-click disabling Javascript into each page without having to modify the app's code, then these might do it for you.

    The prepending and appending is done blindly/stupidly, so you'd end up with code that looks like

    <script>   <---prepended data here
    // yada yada
    </script>

     <html> <---regular page contents here
    <body>
    <!-- more yada yada yada -->
    </body>
    </html>

    <script>   <---appended stuff
    // yada yoda yoda yoda
    </script>
     

    but most browsers will handle this relatively gracefully. Good luck getting the W3C validator to greenlight it, though.
     



  • @rbowes said:

    An old friend of mine who's running a company wants to have a Web-based training software, and he has some nice software picked out to use. All's well, it's opensource php and he loves it and can administrate it (he isn't a poweruser). This software is only for his employees, a couple dozen construction workers.

     Set up a citrix terminal server and run the web server for the training software on it, bound to the localhost interface. Set up a single page on the external interface that serves up the citrix JAVA client applet. The login script now only needs to start the web browser on the training software page.

     
    You'll have: construction worker -> PC -> Web browser -> Java Applet -> Terminal Server -> Web browser -> training server. The Java applet in the chain effectively blocks copy&paste. Saving the webpage will only store it on the  terminal server. The only way of getting any information out is by taking a screenshot of the web page in a java applet in the local web browser.

     
    Here's an example of what I'm talking about.
     



  • @Nandurius said:

     Set up a citrix terminal server and run the web server for the training software on it, bound to the localhost interface. Set up a single page on the external interface that serves up the citrix JAVA client applet. The login script now only needs to start the web browser on the training software page.

    When I was at 6th form, they had one of these on the site for access to the various CD-based encyclopaedias and junk like that. It took us about two days to figure out how to escape the web browser and use the server for more worthwhile purposes, like playing quake 2.



  • @MarcB said:

    Ya know, the 'auto_append_file" and "auto_prepend_file" config parameters in PHP might come in handy.

    The prepending and appending is done blindly/stupidly, so you'd end up with code that looks like

    And IE will be in quirks mode for CSS rendering. 



  • Heh, I totally forgot this thread existed, sorry about that! To PMS: I'm aware that this is an unsolvable problem, but I just want some half-arsed solution that'll fix the problem "good enough". There aren't going to be any half-intelligent users, so I'm not too worried.

    @MarcB said:


    <script>   <---prepended data here
    // yada yada
    </script>

     <html> <---regular page contents here
    <body>
    <!-- more yada yada yada -->
    </body>
    </html>

    <script>   <---appended stuff
    // yada yoda yoda yoda
    </script>
     

    but most browsers will handle this relatively gracefully. Good luck getting the W3C validator to greenlight it, though.

    Hmm, that I didn't know about, it sounds very helpful. Now I just have to spend 5 minutes writing that, steal some code from "right click revenue" because the irony is too awesome to deny, and bill him for the full 12 days since I posted this. Woo!

    (Too bad he's a friend and I can't rip him off 🙂



  • I hate getting this request from clients(it happens quite often), it's such a lame request because who are you hiding it from really, only people who are totally computer illiterate.  I remember i had a client ring up one day all stressed because they'd hit "File" and realised you could save their web page, so anyone could just take their info.  These kinds of requests show an amazing lack of understanding of digital data.  If you want to put stuff on a public web site it is just that, public, it's either that or don't have one, i mean if they really wanted to they could just retype your information manually, if someone can read it it can be copied, it's just stupid to assume otherwise. 

    You can use encryption or whatever but in the end if it going to be human readable then it can be copied(even if it's taking a photo of the screen).  I understand they are just trying to stop lusers from copying the data but it takes a very minimal amount of computer knowledge to get around the solutions i've seen to this particular problem, so minimal in fact that it's not even worth doing.  And if they really wanted it i bet there's at least one person in every office "savvy" enough to figure out how.

    The most secure one i can think of is the creating an image(as metioned above) but a quick run through OCR and you're done.



  • If the site is only for his employees, then why does he need to protect it's content?



  • On the right track... to prevent messing up the HTML you can use output buffering and string replace on <head> (assuming every page has a head tag...)

     

    auto-prepend.php:

    <?php ob_start(); ?>

     

    auto-append.php:

    <?php

    $str = ob_get_contents();

    ob_end_clean();

    print(str_replace('<head>', '<head><script type="text/javascript" src="lame.js"></script>', $str));

    ?>

     

     

    Something like that, anyway... 



  • @spxza said:

    If the site is only for his employees, then why does he need to protect it's content?

    He fears that an employee will leave the company and bring everything with him. I told him he's just being paranoid, but he insisted.

    @RoBorg said:

    On the right track... to prevent messing up the HTML you can use output buffering and string replace on <head> (assuming every page has a head tag...)

     

    auto-prepend.php:

    <?php ob_start(); ?>

     

    auto-append.php:

    <?php

    $str = ob_get_contents();

    ob_end_clean();

    print(str_replace('<head>', '<head><script type="text/javascript" src="lame.js"></script>', $str));

    ?>

     

     

    Something like that, anyway... 

    That's nice, I like that. I hadn't even thought of using output buffering. Thanks!



  • Add a:

    <script language="javascript">if (document.location != 'expected URL') { while(1){alert("Do not steal!");}</script>

    Might keep people away from using the evil file->save 😉 



  • @Daid said:

    Add a:

    <script language="javascript">if (document.location != 'expected URL') { while(1){alert("Do not steal!");}</script>

    Might keep people away from using the evil file->save 😉 

    But not from browsing the "<webpage> files" folder that is created along the HTML file and finding all images on a silver tablet.



  • @dsharp said:

    Ooh... inspiration has struck....

    Create filtering proxy that converts all of the text into images of the text, and converts all of the images into wooden tables where each pixel in the image is a 1x1 cell of with the background color set to the appropriate color.

    Hehe... evil I know.

     

    Fixed that for you :p



  • @Daid said:

    Add a:

    <script language="javascript">if (document.location != 'expected URL') { while(1){alert("Do not steal!");}</script>

    Might keep people away from using the evil file->save 😉 

    You forgot to add a top-most 100% x 100% div over the page.    🙂



  • There is none. When you place content on a public server, it becomes public property (copyright not withstanding).

    When Alice cannot keep anything from Eve when Bob and Eve are the same person. 



  • @robbak said:

    There is none. When you place content on a public server, it becomes public property (copyright not withstanding).

    When Alice cannot keep anything from Eve when Bob and Eve are the same person. 

    Amazing! Clearly no one on this thread had that figured out before. Least of all the original poster who just explained in his very first post that he knew and why he made this thread nevertheless.



  • Not as amazing as me, 2 months after the last post, reading the whole thing from top to bottom thinking why has no-one come up with the same bloody conclusion. <thread />

    <newone>More fool me<newone /> 

    </website> 


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.