Brilliant Idea, ess cue ell, knowledge bank, copy+paste, encryption etc.

[otangabang]

I came up with a good idea to make a shitload of money. It's kind of complicated but also quite simple.

Basically, there are a ton of sites that sell e-book versions of university textbooks. These sites require purchasing of a textbook which, when copied and pasted, ends up looking like this:
1950,        ,     
         
             - .1 2
I,        R S,

at least on one of these websites. So it's designed to prevent reproduction of the document (beyond screenshotting every page).

I may or may not have found one of these websites that is vulnerable to SQL injection. I'm not the best with SQL injection but good enough to pull it off. I'm not sure entirely how it'll work out though, if it's just the tables and logins then whatever, a bunch of CC's and paypals, that's pretty cool and stuff but I want the whole textbook database. Why? I want to create my own, abridged version of this type of site where people pay a flat fee for all books of a certain subject (sciences would be most expensive) that allows them a yearlong (or possibly longer) access to the site, similar to netflix. The pricing would be based on the volume of books and would include access to forums (might not include this component as it could promote the sharing of text from different sections, cutting into revenue) where users could submit their own text files or E-books in exchange for a share of the profit in accordance with how many times it's downloaded.

 The idea of this is that of a knowledge bank of human capital, including books from universities, trade schools, nefarious criminal activities, fiction/non fiction everything you can think of. Prices would depend on the volume, number of user submissions, demand, etc. thus it would incentivize early long term adopters who'd have access to all materials over the period of time they've signed up for at a cheaper rate.

 My issues/questions are:

1. How do I both break and create the type of shitty encryption these sites use?
2. What can I expect from the SQL dump? How would I load onto another application while keeping files intact and readable?
3. How do I make an online "reader" application that would ideally be both secure and open source?
4. Is an "online reader" type the best medium for this? PDF's seem stupid and outdated and I want something that's accessible only on the website, similar to netflix with seamless scrolling etc
5. Anyone want to help? PM me

I think there were a few more smaller issues that I can't remember but I'm mostly just trying to think of the feasibility of this job.

All intelligent replies appreciated, thanks

[aldra]

gonna move this to ns&h, not that it makes too much difference right now

I don't understand the purchase scheme, so it's probably worth clarifying.

as for using sqli to copy their data, a few things:

if they're not retarded, their standard logon credentials should be in a completely different database to the actual content of the books, and both databases will have separate user credentials so getting access to one will not immediately grant you access to the other.
1. if they're idiots and only have one set of credentials for all databases, you should just be able to sql USE bookdatabase and SELECT * from there.
2. if the books are stored separately from the logins, you'd have to try and find/crack a global admin account in the user list and write a script to scrape the books using their web interface and those credentials.

in either case I assume it's a fairly big repository so grabbing everything is going to generate a lot of traffic - they or their host may notice a massive traffic spike to a single IP and realise what's going on.

for the rest of it, it sounds like you're going in way too blind for this to be safe or sane for you, but briefly:

what you can expect from the SQL dump is either a bunch of ebook files or the raw text of each of the books. if you're presented with .pdf files on the site, for example, they're most likely stored as pdfs in the database. you could either save the pdfs or load them into your own SQL database.

how do you make an online reader? if you're asking that question, you have no hope of making it secure. check github, sourceforge etc.

making it available online only? you'd likely want to use HTML5, but doing that is wanky as fuck.

if you try to charge money for stolen content on the regular internet without knowing enough to answer those questions yourself, you WILL go to jail so I strongly advise against it.

[otangabang]

gonna move this to ns&h, not that it makes too much difference right now

I don't understand the purchase scheme, so it's probably worth clarifying.

as for using sqli to copy their data, a few things:

if they're not retarded, their standard logon credentials should be in a completely different database to the actual content of the books, and both databases will have separate user credentials so getting access to one will not immediately grant you access to the other.
1. if they're idiots and only have one set of credentials for all databases, you should just be able to sql USE bookdatabase and SELECT * from there.
2. if the books are stored separately from the logins, you'd have to try and find/crack a global admin account in the user list and write a script to scrape the books using their web interface and those credentials.

in either case I assume it's a fairly big repository so grabbing everything is going to generate a lot of traffic - they or their host may notice a massive traffic spike to a single IP and realise what's going on.

for the rest of it, it sounds like you're going in way too blind for this to be safe or sane for you, but briefly:

what you can expect from the SQL dump is either a bunch of ebook files or the raw text of each of the books. if you're presented with .pdf files on the site, for example, they're most likely stored as pdfs in the database. you could either save the pdfs or load them into your own SQL database.

how do you make an online reader? if you're asking that question, you have no hope of making it secure. check github, sourceforge etc.

making it available online only? you'd likely want to use HTML5, but doing that is wanky as fuck.

if you try to charge money for stolen content on the regular internet without knowing enough to answer those questions yourself, you WILL go to jail so I strongly advise against it.

I don't know why you moved it, I might just copy it to technophiles and technophiliacs again since aspects of that forum are more relevant than this one.

So you have no info on the C and P encryption?

Anyways, obv their user logins via SQL will be in a separate database, what I was asking (perhaps not so clear) was how the files would look should I get admin access via brute force. If not, would it be possible to WGET the books from each individual account? Fuck, I can change IP's with each login, that's not a problem but it'd be pointless unless I'm able to actually get the e-books.

University e-books aren't stored as pdf's they're typically in a file created by the manufacturer (which is typically one large US based one whose name I forget) which is then abridged according to where they're going. If they were in PDF form it wouldn't be a problem. What I need though is the key that decrypts the copy and paste function of just basically allows altering to the document to create at least some sort of plausible deniability. If I was to create my own "reader" I don't think this would be as much of an issue and would be a good feature of the site.

Do you know anything about textbook encryption algorithms?

[aldra]

I left a redirect in T&T so no need; it appears in both forums for the time being.

in a database sense the books themselves won't be stored 'in' an account; they'll be in a separate database. the user accounts in database A will have references as to which books they're allowed to load from database B. if you actually get a password though, yeah, you can use the web interface to download them - that's why I was saying you'd be best looking for an admin account, or anyone that has access to all books so you won't need to crack/scrape multiple accounts. usually there'd be a property under each user indicating which books they have access to, see if you can filter by '*' or 'all' or similar.

no I don't know how textbooks are encrypted, but from what you're saying, you'll probably need to get a copy of the server-side application that does the decrypting along with any relevant encryption keys... meaning you'd need access to the machine's filesystem.

if you scrape the textbooks from the web interface though, you'll have them in plain text, but you won't be able to use the same crypto scheme to present them to others.

[otangabang]

I left a redirect in T&T so no need; it appears in both forums for the time being.

in a database sense the books themselves won't be stored 'in' an account; they'll be in a separate database. the user accounts in database A will have references as to which books they're allowed to load from database B. if you actually get a password though, yeah, you can use the web interface to download them - that's why I was saying you'd be best looking for an admin account, or anyone that has access to all books so you won't need to crack/scrape multiple accounts. usually there'd be a property under each user indicating which books they have access to, see if you can filter by '*' or 'all' or similar.

no I don't know how textbooks are encrypted, but from what you're saying, you'll probably need to get a copy of the server-side application that does the decrypting along with any relevant encryption keys... meaning you'd need access to the machine's filesystem.

if you scrape the textbooks from the web interface though, you'll have them in plain text, but you won't be able to use the same crypto scheme to present them to others.

Thank you, an admin account would definitely have direct access to the database and the files would already be encrypted at that point. That's really the major obstacle, the question is whether the keyfile is available on server via the admin account which is a big IF and would be very frustrating to do all that work only to have the user logins and an admin account with access to files that aren't transferable across mediums. Maybe there's a way to download the files, then upload to a reader application while maintaining the files configuration, it'd just mean that I would basically have the same ability to alter files that a user would, lol.

Accessing the machines filesystem goes a little beyond the standard SQL dump and I can't say I've ever done that before but I understand how it works, theoretically so it's something worth looking into. Learning that is a whole lot of work for something that's not guaranteed to even be the outcome.

If I just scrape the textbooks, I'd have to encrypt then upload to the reader application, ideally one I'd make myself (or have someone else make), and although this is feasible, it's also very time consuming, on top of an already time consuming activity. If it's necessary, sure I'll do it but getting the keyfile would be ideal. The files are clearly made available by admins (not auto service through a gateway) so they have some sort of access and likely easily scrapable.

Still need to figure out the encryption scheme though, it seems so simple it should be defunct but it could be it's just not targeted the way people target other encryptions. I look forward to learning more about this, thanks

[Lanny]

Cryptanalysis is hard, you're not probably going to be able to do it here. You need to get the books either before they've been encrypted on the server or scrape them from the client after they've been decrypted. It's also possible the books aren't in the db at all, I mean if they have illustrations and stuff then they can get pretty big and at that point you're better off keeping them on the filesystem since RMDBs tend to underperform in blob handling.

Dump a listings of the tables, find the books table, and then dump the schema. Based on column names it should be pretty easy to figure out if the actual texts are stored in the DB or not.