[1657] in WWW Security List Archive
Re: preventing downloading
daemon@ATHENA.MIT.EDU (David M. Chess)
Fri Mar 15 13:32:08 1996
Date: Fri, 15 Mar 96 10:16:13 EST
From: "David M. Chess" <chess@watson.ibm.com>
To: mattj@indiana.edu, www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
A common question. As others have said, the short answer is
"no, you can't do that". If I control my machine, and I'm
able to use my machine to *view* your information, then I
can use my machine to *copy* your information. (Think of the
limiting case: how do you prevent me from videotaping the
sequence of screens that I read?)
But, as with so many other security questions, the easy "no,
you can't do that perfectly" asnwer is just the beginning.
As usual, the real question is "how hard can we make it to
steal this data, knowing that it'll always be -possible-?".
There are various things you can try to do to make it hard for
me to: hack your proprietary browser to ignore <nocopy> tags,
hack incoming data to remove <nocopy> tags, reverse-engineer
your proprietary browser and write my own that laughs at
<nocopy> tags, and so on. If some government or megacorp
wants to copy some data that they can view, they'll always
succeed. But if all you care about is that the average
end-user can watch "The Lion King" without being able to
trivially copy it, there are some things you can do. Maybe...
- -- -
David M. Chess | Mah'-ee huv'-erk-raft
High Integrity Computing Lab | iz fuhl ov ee'-ulz
IBM Watson Research
