Schneier on Security

Harry dies when the broom he is flying on is hijacked and flown into a barn ...

I agree that it's not likely to cost them any sales. I also wonder if the leak was perhaps intentional, a free way of getting a little more press and increasing the "buzz"?

They aren't worried so much about losing a sale. People buy multiple copies of those books.

They're worried about the suspense being broken for their fans as plot twists and the ending is leaked far and wide and loudly.

As of this moment, the fans who WANT to maintain the surprise and anticipation will have to be extra careful NOT to accidentally hear anyone revealing that info.

Oh, Bruce. You should have mentioned the coming future of the book industry. Things like this can be prevented. All we need is on demand publishing. You go to Barnes and Nobles, Borders, your local bookstore and at correct time the encrypted book is sent over the internet to each bookstore where its decrypted with the stores password and the books begin printing.

I think the music industry missed their opportunity with this kind of model, but producing a quality hardcover is going to require more sophisticated hardware than a cd burner.

Honestly I laugh at all of the cries from the publishing houses as well as the MAFIAA (sorry, it fits so well) when things are 'leaked'. If the song/book/movie/whatever is crap, then they are upset because people found out it's crap before they could waste their money on it. Shame on the publishers. If it's good, people will still pay to read/watch/listen to it, so no discernable amount of money lost.

What it comes down to is that these distributors know that they are pushing crap, and the only press a leak will give them is 'bad' press.

Why does "pirated on the internet" = "BitTorrent" to EVERYONE in the media?

I saw the files posted to Usenet, personally.

And I know Bruce is just reiterating the linked-to article but comeon - he's a computer scientist. A file isn't "on" BitTorrent any more than a file hosted by a web site is "on http".

Can you imagine how Apple would have reacted if images of the iPhone and screen shots of all its apps came out a week before they announced? Anyone who owes a reasonable percentage of business to a loyal fan base wants complete control of their message. All it takes is a few respected leaders in the fan base to criticize the product just before launch to spoil the event. BTW, I'm not in marketing -- I just channel them occasionally.

Surely the ASCII versions would be easier to create right now, from the ready-scanned images... just OCR the images, no need to re-scan.

It looks like a library copy. You can see a clear, plastic dust jacket taped on with that reinforced tape libraries like to use. I'm guessing some libraries got the books in advance, to prepare them for being checked out on the day of its release. There's a comment on that story that also says something similar.

If the publishers could have done anything to prevent this, it would have been to hold back the books from libraries until Midnight BST, when it first goes on sale. There's no point in protecting it beyond that -- the last book was up within a few hours of first being sold, still several hours ahead of the west coast release.

It's also interesting to note that the supposed spoilers from a month ago (where one of the publishers was supposedly hacked into) don't match up with any of the spoilers I've seen.

So here's how the book ends:

Harry and his friends are in a diner eating onion rings.

Then the next 30 pages are blank.

I always buy a copy (or 3) to see that JK gets the bling (she deserves it) but I also download the book and actually read it on my Palm simply because it it's infinitely more convenient to carry (the same with the Cryptnomicon).

By the way, Harry's been dead since Book 1 and that's his reanimated corpse under the control of Hagrid, who has been playing Dumbledore and Voldemort against each other all this time.

Given the inevitability of this, I've been wondering if I should lock down http://PotterPredictions.com/ now rather than on Friday. I think I'll risk it and hope no one cheats.

I'll save you the time of having to read it:

Valdemort did it.

I heard the EXIF data has the camera's serial number. Can anyone confirm this?

It's Nerds meet Rambo II when Harry and his friends from Hogwarts launch a surprise raid on Gitmo.

Who could have seen that coming?

"That wand's more trouble than it's worth" said Harry. "And quite honestly," he turned away from the painted portraits, think now only of the four-poster bed lying waiting for him in Gryfondor Tower, and wondering whether Kreacher might bring him a sandwich there, "I've had enough trouble for a lifetime".

oh well...

"So here's how the book ends:

Harry and his friends are in a diner eating onion rings."

Then Sally walks in...

i'm just thrilled that so many people are so excited to READ A BOOK

granted it isn't exactly The Economist, but J.K. Rowling has made the world a better place.

Yep, the images have the serial number in them. They were taken with a Canon EOS Digital Rebel, with serial number 0560151117.

@James

I find your faith in humanity... misplaced.

Let's not forget how many people probably pre-ordered this book weeks ago-- they're not losing any of those sales if it leaks, are they?

On another topic, though... if I was Rowling, I'd have paid to make a super-realistic fake, and had it leaked; just for kicks.

How hard is it to fake EXIF data?

How hard is it to remove an offtopic spam comment?

> How hard is it to remove an offtopic spam comment?

At that, an incoherent badly-written offtopic spam comment?

> Yep, the images have the serial number in them. They were taken with a Canon EOS Digital Rebel, with serial number 0560151117.

Canon: The Camera that Rats on you.

> Yep, the images have the serial
> number in them.
It's not a very secure deterrent measure.
I mean, there is no strong encryption and steganographoy of that identification data, no strong credential check to be able to read or write (and forge) those data.
A fairly skilled opponent can alter the data to accuse any other one (or to give no identification at all) making the whole system lose credibility in any court, so it would loose its effect also against non skilled opponents which may rise the reasonable doubt of being framed by someone else.

@Spider

The problem is that is so insanely ridiculously stupidly cheap to press CD's and print books. They know dam well they make more money this way. In fact its really hard to make a case for a less centralized model because its so cheap providing you print/press enough copies. CD's the magic number is about 1000, books depend on the format and printing method. Distribution is also very cheap these days.

At 1000 CD each cost about 0.50 EU and most of that is the masters which are good for usually 10,000. Books cost a little more depending on the folding steps and durability of the plates. But at 1000+ books all the cost you see in a bookstore in various middle folks share + the authors cut. In fact the authors cut is usually larger than the cost of the book. Paperbacks would be on the order of 1EU.

Basically it costs too much to distribute the way you suggest. Also there is the anti commons problem too

One of the local radio stations mentioned Monday that they had already received advanced copies of the book to give away ahead of the "official" release this weekend. Given that, I would say that the publisher has already passed their internal "release" date. The fact that digital photos of the pages are only now making it to the Internet suggests that they did an excellent job controlling their data. This is not a failure in security, but a success (as I think you were alluding to, Bruce).

@monopole
"I always buy a copy (or 3) to see that JK gets the bling (she deserves it)"
The books are inaginative and entertaining. Opinions will always differ as to what the author "deserves" for writing them, but I think it would be very difficult to argue that she deserves 1,000 times the lifetime earnings of a average full-time worker in a G7 country. She has received much more than that.

@matthew skala:

EXIF data is readable by numerous applications, and some preserve that data when modifying images. The Wiki article mentions that EXIF editors exist, but doesn't list any. A quick Google search reveals a number of editors.

So, it's pretty damn easy, but unless you script it, you're not going to apply that to several hundred images.

@Nostromo:
"I think it would be very difficult to argue that she deserves 1,000 times the lifetime earnings of a average full-time worker in a G7 country."

I haven't read a single line of these books or watched a single scene of the movies. Considering that thousands upon thousands of novels are released each year to little fanfare and end up in the bargain bin, I figure Ms. Rowling deserves every penny. I'm not sure any of us can create a worldwide literary phenomenon. Blame whatever you want on slick marketing, but I don't think you sell a franchise of books without them at least being readable or enjoyable. Otherwise people would stop buying them.

I don't see why she isn't any more entitled than pro athletes or movie stars. At least she gets people to read something. That's not exactly worthy of a medal, but it's certainly a better contribution than any sports figure.

@C Gomez: "I don't see why she isn't any more entitled than pro athletes or movie stars."

I have the feeling that Nostromo would agree with you there. I also have the feeling you're missing his/her point.

These people who read the book early are the same people who opened their Christmas presents early and re-wrapped them.

"...flown into a barn".

THAT is funny,

Spoiler alert:

At the end of the book, Dumbledore gets killed by Snape...

Oh, wait...

DAMNIT, I downloaded the wrong book!

Unlike the CEOs of American corporations, who by Divine Entitlement merit millions in bonuses regardless of performance, Ms. Rowling has earned her fortune the honest way by creating something highly valued. Criticizing her writing is fair game, but criticizing her accumulation of wealth is not. She clearly deserves every penny.

One thing Ms. Rowling has done is taught her readers that reading can be fun, that reading needn't be just onerous assignments. She has taught a very valuable lesson to I don't know how many million children. That alone looks to me to be worth a whole lot of money.

@dhasenan (and others regarding the EXIF data)

I wonder if the Google Image Search has an option to search for images with a specific EXIF field value?

Dan

I have trouble visualizing Scholastic (for it appears to be the US edition, from the title page in the linked post) going to all the trouble of writing a fake book, printing it, binding it, and then releasing photos of it... but it seems odd that Scholastic previously announced it would be 784 pages long, and the photographed book is reported to only have 759. Yeah, yeah, it's only a 3% difference, but you'd think they wouldn't announce the page count until they were absolutely sure.

@dhasenan "...but unless you script it, you're not going to apply that to several hundred images."

so forget post-creation edits, how hard would it be to hack the camera firmware to change the contents written in the EXIF data?

yeah, I know, harder than writing the script to edit hundreds of images, but cleaner and more elegant...

I don't need to download the book to read it for free.

There is a place in the town where I live that will loan me the book for free (but for a couple of weeks.)

Whatever you do, don't tell the publishing companies 'cos I don't know if this "library" place is all that legal...

"so forget post-creation edits, how hard would it be to hack the camera firmware to change the contents written in the EXIF data?"

How hard would it be to purchase a cheap digital camera anonymously (i.e. using cash), and dispose of it when done? Works with cell-phones, apparently...

My question (I haven't seen the images): are those which contain pictures of fingers good-enough to extract fingerprints?

Unfortunately, the inherent value of a digital copy of any work is now very close to zero. Since anyone with a PC can make a copy and easily digitally distribute it to others without any loss in quality, there remains little barrier to spreading around anything that can be digitized.

The question is - will movie, music, photo, software, and print companies work on a new formula for making money from this phenomenon or will they continue to sue their most avid customers using laws they created through bribed officials? Will they create a truly usable medium or create more headaches and frustration for their users through proprietary DRM schemes and questionable lawmakers?

While digital copies are all well and good, there is a certain human nicety and warmth in actually holding a book, turning pages manually one-by-one, and seeing one's progress through the book page-by-page.

Of course, having the printed version clock in at well over 600dpi resolution with high background contrast in full-wireless mode doesn't hurt in the least.

The question is, since EXIF data is so trivially easy to modify (yes even in batch mode) does the EXIF information in the images represent the actual camera? Will a prosecutor consider this sufficient evidence?

There's speculation that the images were taken in a library. So an employee that hates the head librarian (and noted the information on the camera she uses) loads some famously illegal images with that data...

People use meaningless information like this without understanding the technical aspects as PROOF of a crime. MPAA/RIAA and IP addresses or mp3 ID3 tags anyone? You might as well use a Ouija board.

-> There's speculation that the images were taken in a library <-whence such assumptions?

Russian fans already have translated some chapters into Russian and have retelled all book

I loved it when Harry wakes up next to Suzanne Pleshette and tells her she'd look great in a Weasley sweater.

"-> There's speculation that the images were taken in a library <-whence such assumptions?"

There's a previous comment above that says:

"It looks like a library copy. You can see a clear, plastic dust jacket taped on with that reinforced tape libraries like to use. I'm guessing some libraries got the books in advance, to prepare them for being checked out on the day of its release. There's a comment on that story that also says something similar."

I do think this will further increase media coverage and hence will boost awareness and sales.

There's more than one security issue here. A friend succumbed to temptation, and got a computer virus along with the images.

@X:"purchase a cheap digital camera anonymously (i.e. using cash)"

As long as we are trusting the EXIF data ... a Canon EOS Digital Rebel is NOT a cheap digital camera.

It's interesting to note that not only has a copy of HP7 been released, but that more than one has been, and the two different copies disagree with each other in a number of particulars, most notably the chapter titles.

More than one copy is being posted, but, of the copies that purport to be pictures of the pages, there is only 1 full copy. The other "copies" which are being posted are generally (a) just a fake epilogue with nothing else, (b) the Table of Contents and a fake Epilogue or (c) a few pages here and there.

They look pretty clearly photoshopped. The text is way to clear.

The rest of the "leaks" that are pdf documents are generally novel length fan fiction that's been circulating on the internet for awhile.

The real leak is pretty easy to spot, its the one that's pictures of the book against the background of that god-awful greyish speckled industrial looking carpet.

This doesn't strike me as a legitimate concern (stopping it from leaking). This isn't a trade secret that is given to only a handful of people, but something meant.... hoped eve, to be dispersed to as many people as possible.

The only concern is to control the frenzy and maximize profits beyond what book cycles usually go through. I get review copies before the author is even done for some books.

Here is an article that discusses tracking the camera used to take the pictures

http://entertainment.timesonline.co.uk/tol/arts_and_entertainment/books/article2104250.ece

Petréa Mitchell:

A librarian says at http://tinyurl.com/2cf2p2 that the card catalog at her library lists the page count as 759 (link goes to the "Sword of Gryffindor" website and is spoiler-free).

Darn. I've read some non-spoilery comments from hardcore Potter fans, and they're disappointed by it by about a 2-to-1 margin. But thanks for clearing that up.

from http://entertainment.timesonline.co.uk/tol/arts_and_entertainment/books/article2104250.ece
""The Exif data is like the picture's DNA; you can't switch it off. Every image has it. Some software can be used to strip or edit the information, but you can't edit every field," "
Well, if the guys investigating on this case really think this (and really intended to say this), the leaker may sleep well!
What heck does it means?
They think an hex editor and a script cares about letting you altering some fileds and some other not???
It's a file, and it's in the whole power of the user to edit it in any bit; an aware user may turn any of those fields in garbage and the whole point is that the image will still work and be readable and errors or fakes in those fileds will simply be ignored!
So what kind of proof it can be?
The file may get edited, the camera may be stolen or buyed anonimously just for that purpouse... at the end, it turns to be more a nag to legitimate users than a real treath for aware attackers.

@mistral
That whole article is hilarious. It looks like a desperate attempt to scare people into not doing this sort of thing, they could be traced by digital DNA!!!

I especially like this bit: "Because the model is three years old, the device would likely have been serviced at least once ...". Doesn't say much for the reliability of this make/model of camera :-)

EXIF data is trivial to edit. Looks like the joker who leaked HP7 didn't know about it and therefore didn't wipe it (or they did know about it and faked it). (Note to self, use "exiv2 --delete *.jpg" (http://linux.die.net/man/1/exiv2) or similar when I leak HP8.....)

Now... the CCD fingerprinting discussed here a few months ago, that might be a bit more of a problem to circumvent. At least CCD fingerprints (probably) aren't on record like serial numbers are.

I did a little image analysis on the images and came up with more information than just the camera's serial number:

http://www.hackerfactor.com/blog/index.php?/archives/70-Harry-Potter-Leaked-and-Analyzed.html

If they really want to catch the photographer, then I believe the photographer can be tracked down easily enough. If nobody catches him, then it is probably because nobody is interested enough in catching him and not due to anonymity on the Internet.

These people who read the book early are the same people who opened their Christmas presents early and re-wrapped them.

The only concern is to control the frenzy and maximize profits beyond what book cycles usually go through. I get review copies before the author is even done for some books.