If I can display it on my screen, I can EASILY print it no matter what you do. If you are not legally allowed to let them print something, then don't show it!

Well, obviously there's going to be people like you who have their printers connected directly to their video card (perhaps you've hard-wired it to your monitor's cable) so you'd be well justified in writing "easily" in all upper-case; but, even locked doors are only designed to keep out the innocent.

I am hoping for a control that bypasses the GDI (Windows terminology again) thereby making it less easy for users to print.

Though I'm curious; it's illegal to steal from a bank, so by your logic, we should get rid of banks, simply because one person might find it easy to bypass bank security?

Priter connected directly to video card?! Whaaa?

There is no way to prevent it. You can make it more difficult, but ultimately as jalarie said, if it can be displayed, then there is no reliable way to prevent it from being printed.

HTML pluggable control that would render text to the screen while preventing copy-and-paste, screen-capture, and printing.

You can't really control hardware (i.e. printer, screen, whatever) using HTML. That's the point behind HTML - it's platform independent. You provide the content, but the platform is determined by the user.

What folks are telling you is that your efforts will be futile. You can only send the text to the end user - after that it's up to them what they do with it. That could be print, video, text to speech device, or anything.

Never mind that once you've sent the information to me, it resides on my computer...your talk of GDI is a good example. I run linux, so how are you going to bypass GDI on my system? You can't - I don't even know what that is. I can run it through my browser, I can view it text only using lynx (a text only browser), heck, I can even pipe it directly from the internet into a file.

What you are looking for, is basically a virus...or at least something that exhibits all the characteristics of one..

Can be done ( but Xplatform is out ) ..I actually wrote something like this with a friend years ago ..worked so well we had to reboot our own machines every time we finished looking at my own pages just to get "right click" working again even in things outside of the "browser" ( IE being a "sub" of "windows explorer" means you kill the options in IE ..you kill them in windows explorer )..we stopped using it very quickly ( within 2 days ..it worked but it was so irritating ..and worked like a virus ..if it walks like a..quacks like a..then it is a...)..since then IE has got harder..but still not impossible to do.

Thing is ..do you really want learn how to write and to use a virus ..or go looking in the places that one finds virus writers for hire ( and get flagged for malware etc etc ) to protect your stuff..?

Thought not..better just not to put the stuff out there :) ..and a camera shot of the screen would get a readable image anyway..

Plus all the stuff wheel said..

Btw this posted from Linux ..what you are thinking of only really ( half-ish ) works on windows.

stickies asking about this and related stuff will be ignored ..it was an academic exercise to see if we could do it ..we did it ..never used it again..and have no intention of explaining how it was done ..and with advances in browser / machine security it would be more complex to achieve nowadays ..IMO , life and time are for doing other things :)

Hi all.

Thank you kindly for all the responses.

I should probably be a little more explicit as ye all seem to be answering questions I didn't ask:

When I say "HTML pluggable control", I mean using the <OBJECT> tag to load an executable library (so, although it is hosted inside a web-page, the code is native machine-executed code).

It is more important that it is not printable than that it is screen-visible, so if you have a text-only browser, then (when the OBJECT tag is not rendered) you inherently get the default action of jalarie's suggestion--don't show anything.

For users who do want to see the value, they have one option: download an <OBJECT> library that will let them see it, but not let them print it.

As for transferring the information so that it isn't retained on the local machine, the <OBJECT> library could do an SSL connection to request the data it is to display, and load and decrypt it in non-pageable memory before dumping it into the video memory.

I'm not too well up on Linux internals, but as a general rule of OS design, output-devices are usually abstracted behind some render-context so that rendering to printer or to monitor is transparent (for Windows, this is done through the GDI). However, if rendering is done straight to video memory, it will appear on screen but not be printable (because printers don't render from video memory), and cannot be screen-captured (because screen-capture comes from a desktop render-context). I know I'm making a number of assumptions about the OS architecture, but actually, that doesn't really matter..

..because all this is chin-scratching fluff, that I'm sure security-professionals eat for breakfast. My original question was whether anyone knew of a solution that was already implemented; some security-professional has already been through all this and developed a plug-in that is cross-platform/-browser (or at least has one library per platform/browser that can be served as necessary).

I don't need any more answers that say it can't be done (I already know I can *not* do it--I'm doing it that way right now). Just like any security option, there is no absolute solution that solves everything, just a best one for a given situation (and they're always better than no solution). I'm not going to remove the spring-bolt from my front door just because I know a thin card can bypass it, instead I add a dead-bolt and a door-chain.. and then someone comes along with a SWAT battering ram!

I have seen in done by setting up a blank print Style

will only save you from the nongeeks

Leosghost: A camera shot of the screen would get a readable image anyway.

Amen! Cellphone takes the picture, sends it to e-mail, and I print it. Even my 8 year old grandson knows how to do that. If you don't want it printed, don't display it.

OK. Perhaps I need to change tact..

My users aren't legally allowed to print these values, so as a kindness, I would like to prevent them accidently doing so as much as possible. If my users want to break the law, I will not stop them, and more importantly, can not stop them (as stated by nearly everyone here (including myself in my original post)--I know; I get it). I'll also be sure to add a warning to the top of the page informing people to talk to their 8 year-old grandsons about the dangers of taking photographs of the page.

Thank you Realbrisk for giving the only answer so far that actually addressed my question, and not your own agenda. I will be implementing your suggestion, but will still hope for a more secure one.

Thank you everyone for your input so far.

On any Windows machine, Ctrl-Alt-PrtSc, open any graphics program, Paste, and you're done.

My users aren't legally allowed to print these values

I'm confused on how you can legally show the images yet they can't legally print them.

there are a few other things you can do to prevent text selection, but none of them are secure. and they wont stop printing.

you can prevent them copying text with a bit of javascript. i dont mean the one that prevents right-clicking, because that's just annoying, but the one that checks what's on the clipboard and blanks it out. you can even change what they've copied onto the clipboard with your own line of text, or change it to just a snippet of the text.

... but of course they can simply turn javascript off.
you can sticky me for the script if you want.

another easy thing that you can is to stretch a blank image over the bit of text you dont want them to copy (but that will also prevent them pressing any of the links underneath)

...but they can simply view the source and copy that instead.

and you can put

-moz-user-select:none

in your CSS too, which prevents text selection on non-IE browsers

...although they can still right-click and do 'select all'

As an example of how other programs TRY to stop you printing, take Adobe Acrobat.
You can protect a PDF file with a password and have various options, such and not allow printing and not to copy text.

And yes, when you open the PDF the print option is not available and you can't copy the text, but press print-screen and there it is ready to paste into something else and print.
Could even then run give it to some OCR software and you have the text.

So even Adobe can't fully prevent someone priting, and this is in a native OS application, not something that can be run in different browsers on different OS's.

Thank you all,

[g1smd] You could have made your response more concise by just writing, "I didn't read any post in this thread" ;)

[StoutFiles] As I understand it, "logic" and "legal" don't mix; I don't understand it either. However, I'm just a programmer so I do what the grown-ups tell me to do.

[londrum] Where I am right now is, I am using CSS to hide from printing, and a Java applet to prevent copy-and-paste. The Java applet just displays the value and is populated by an Ajax response. In this way, the actual value is not stored on the page (view-source doesn't help (only an id' that Ajax uses to look up the value is stored there)) and being in an embedded control, is not copied into a text-stream in the clipboard. I'm also thinking of generating unique use-once Ajax id's so if a copy-and-paste does copy the object, the value it is populated with when pasted will be out-of-date (I'm assuming the copy-and-paste won't serialise the whole Applet's heap and rely on reinitialisation when pasted)

[ProbablyMike] If I open an AVI in VLC or some other video player in Windows and do a screen-capture, then paste it into a graphics program, the video frame is not pasted. Instead, a single-colour block appears in its place. This is a mask and is used by the direct-to-video-card renderer to tell it not to overwrite parts of the screen that the GDI has blocked (e.g., for overlapping windows). If I move the graphics-program-window showing the screen-capture, the video playing in a background window will appear through the foreground window, demonstrating just how confused the GDI is by a direct-video-render. I assume Adobe didn't do this in Acrobat because, well, I've no idea.

Thank you all again.

Before you go..:)
There is one way ( but its expensive to stop printing ) ..there are a couple of programs that you can use to compile encrypted PDFs ..they require their own loaders to run on the end machines ..these come bundled ( if you wish ) when you create the encrypted PDFs ..these disallow printing on the end user machines..and can be set to 'number of read times , expiry dates ..and authorised mac address to run ) ..they won't stop photos of screen however.

I can't remember the names right now ..( I actually have them on a machine which isn't connected to the net, and which I rarely use , , but can't get a look at it for a couple of hours without disturbing a family member who is sleeping :) ..

If I don't have a "Eureka" moment before and remember :) ..in a few hours I'll be able to look ( presume its not urgent )..

I don't remember either if they are windows only apps ( probably, or they would be on this linux box too ) ..But I think that to avoid printing ,compiled , encrypted, protected PDFs or similar "ebook" tech is the way you'll have to go..

edit ..copysafe is the cheaper one whose name just came back to me..

the other ..for now ?

HTH

2nd edit ..Locklizard is the other ( my memory is better than I thought :)

Interesting, very cool. Thank you so much Leosghost. I shall check these out.

Thank you again,
Kind regards,
Eliott

You are more than welcome :)

..btw ( In my haste to reply in my last post above , I missed that you are a programmer, ( I'm not by any means..I'm a "curious tinkerer" ;-))..I presume then you are researching a possible method rather than a ready made app ? ) ..if this is the case , then given the price of Locklizard in particular ( IMO the better of the two apps ) ..if you do come up with something of your own without encroaching on someone else's IP ( not easy these days ..especially given what the USPTO grants "catch all" patents to/for )..the commercial potential is very interesting .

I would be very near the head of the queue for such a product :)

EyeNoseNothing: OK. Perhaps I need to change tact..
My users aren't legally allowed to print these values.

This is a drastic change in tact. Your original post said:

I'm not legally allowed to let them print.

If YOU can not allow it, then you are responsible for the printing, but if the USERS aren't legally allowed, then the users are responsible. Your change seems to absolve you of all responsibility and dump it on other people.

Then you had an idea:

In this way, the actual value is not stored on the page; view-source doesn't help.

Think again. There is a FireFox add-on called View Source Chart which details (similar to View Source) everything on the page AFTER it is rendered. One mouse click and I have everything on your page.

I think you need to revisit the question of who is legally responsible for what.

This is useless, even if you figure out how to do it, I'll use PrintScreen, increase the resolution with my nice little app and use an OCR-trace program to convert it to text.

Here's an idea. Create a membership-based site and show the sensitive content to paying visitors only.

[Leosghost] Thank you Leosghost. Unfortunately I am only looking for a solution, rather than developing one myself. I never get any interesting meaty projects.

[jalarie] Yes, it is a drastic change of tact--it's incredibly difficult to keep you people focused. I originally figured that adding the fact that it's a legal requirement would help focus the answers--there'd be none of that, "hey stupid-head, the static-electricity on my dog's back can circumvent your delusional security. Go back to cleaning my shoes!", because (what can I do?) it's a legal requirement (many laws are odd, we follow them anyway). Realising no-one here cares what will happen to me if I don't meet the legal requirements, I figured I'd try to reach your empathic side by saying it's my users--my poor unfortunate users--who will be suffering, and heart-warming responses would come flooding in. I thought I'd fooled you all, but no, not you jalarie. You saw right through my trickery. Well done, have a cookie!

View Source Chart.. View. Source. Chart.. Hey! I don't think you read my posts. View Source Chart inspects the DOM! Where in the DOM does the private address-space of a library sit?

[adder] I've already covered print-screen, y u no read the thread?

EyeNoseNothing: No-one here cares what will happen to me if I don't meet the legal requirements.

If we didn't care about you, we wouldn't bother trying to help. All you'd have to do is put up a notice saying it's illegal to print and the user's would have the problems. We're trying to help YOU avoid legal entaglements. Just as the bartender can be arrested for serving drinks to an already-drunk person who is about to drive, YOU may be in trouble for posting something that you know is illegal for someone to print.

Unfortunately, you seem to wish to argue; you're making it harder and harder to care.

Also seems to be ignoring the fact that you can't prevent printing from a web based app - can't. All you can do is make it varying degrees of pita to print. But you can't stop it.

Thank you jalarie.
Thank you wheel.