Malicious Books?
It was only a matter of time before we had to worry about our books delivering more than a great story well told. We humans can be damned devious.
This Gizmodo article is pretty interesting, though a little thin on facts (see infra). Basically, it is possible to create a Kindle book with malicious code in the metadata. When a user views their list of titles under “Manage My Kindle” (now renamed to “Manage Your Content and Devices”) on Amazon, the code executes and a user could end up with a compromised Amazon account or worse, one imagines. If you are a Calibre user, read on and confirm you’re on a patched version.
A more thorough discussion by Benjamin Messler, the person who discovered the flaw, is here. Note that Calibre was also vulnerable, but the developer had it patched within 4 hours of being notified. Therefore, if you use Calibre and are not on version 1.80 or higher, you would be wise to update right now.
This flaw was pointed out to Amazon and patched nearly a year ago, but was reintroduced after a recent, subsequent update to the Manage Your Content pages. Amazon has re-patched the flaw, though they seem to have taken their sweet time about it. Third parties remain vulnerable.
This, May God Help Us, is a Cherry Tomato
I have additional thoughts on this.
First, about three or four months ago, there was a slew of sites that pointed to books on Google docs. I think there weren’t/aren’t actual books there, only malware. There’s been another spate of new pirate sites just recently, many of which appear to be registered to folks in China. Right. Stage set.
Pretend for a moment that you have discovered this Amazon vulnerability and have developed an exploit. Now, you must get this BookMalware (TM) into the hands of readers and onto a Kindle user’s Manage Your Device page. Or any other page similarly vulnerable.
A reader who obtains one of these malicious files and then sends it to their Kindle becomes vulnerable to an account hack, or some other Bookware (TM) attack. I mean sure, someone’s Amazon account credentials is a pretty juicy target, but I don’t see why malicious code would necessarily limit itself to grabbing credentials.
Because, you know, that MalBook (TM) is sitting there on a server and that title is probably stored in a database somewhere, and well, suppose instead of javascript, the code was something like this:
Little Bobby Tables, via xkcd
Just saying. There’s no evidence this happened or, even, that it would work. But hey.
Anyway, our MalBookWare (TM) developer must now get his product to users. You might well ask how. What leaps to mind is a website with malicious books just waiting for readers with Kindles. You must dangle the pretties and do everything you can to make your site look like there are loads of great books by great authors. All you have to deliver to the person on the other end is a mobi file with any old content, as long as the website makes it look like it’s a book by a favorite author.
Authors with services like Google Alerts, or Talkwalker alerts might start getting alerts like this:
Best Romance Ever: Number 3 in series pdf
My Book of Bible Stories and Prayers: AND My Book of Prayers
Best Romance Ever: Number 3 in series – Author, Suzie – PDF, EPUB, DOC Free Download EBook and Audiobook …
Anyone clicking on such a link, whether in an alert or through arriving at it after Googling for
Suzie Authors Best Romance Ever, Book 3, torrent
will be clicking a link (which I have altered so you can’t actually get there…) like the one below.
https://www.google . com/url?rct=j&sa=t&url =[removed]:// xxyebooks.[tld removed]/best-romance-ever-number-3-in-series_zqjr5.html&ct=ga&cd=CAEYACoUMTI5MjY0NTMzOTEwNzYyNjA4MDgyGRobert;('Drop Table Students;--sjg4gYzY0ZjI0ZjhjNzE5Y2I6Y29tOmVuOlVT&usg=AFQjCNGK5w9Tvxf3JSRA5DXs6q1JtSvZng
Ok, so I added the SQL injection just for kicks. Because it’s hilarious to SQL inject obfuscated code.
Anyhow, you see all that stuff after the number-3-in-series_zqjr5.html ? If the intent behind the link is bad, it could well be obfuscated code that will, eventually, get translated into a location that goes somewhere scary. Or not. Or a to a script that delivers a malicious payload. You won’t get a book. You’ll get malware. Or, maybe, a file with a MalBookWare (TM) title.
By the way
xxyebooks.[tld removed]:
Registrant Name:WU YOUPO
Registrant Organization:WU YOUPO
Registrant Street: LIJIAPOLU
Registrant City:SHANGHAI
Registrant State/Province:Shanghai
Registrant Postal Code:368742
Registrant Country:CN
Additional Observations
There has been a great deal of speculation and public comment among some of the authors I know or know of. Many are making a connection between Kindle Unlimited and an increase in piracy, and well, maybe. But I think that’s not what they’re seeing.
There are several problems with those conclusions. Foremost is the erroneous belief that every site that advertises pirated books is actually delivering pirated books. They are not. They are delivering malware or just stealing payment information. The ironic good news for authors is that books are the bait. If people didn’t want the books, they would not be effective bait.
This is not an endorsement of anything. It’s just an observation.
The rash of Google docs as a (probable) malware delivery method isn’t an increase in actual piracy. Neither are any efforts to exploit that Kindle vulnerability, and you can bet that there were/are sites out there where the bait is supposedly pirated books by popular authors. The user may even believe they got the book, but the payload is malware.
If I were a malware deliverer, I wouldn’t bother pirating a book and altering the contents. I’d make my own content, disguise it as a popular book by grabbing the Amazon feed so I can populate the metadata and links with the author name and book title, and deliver it to the user. By the time they click on the content in their Manage my Device and say, hey! where’s my book by Suzie Author, a server in China has their Amazon credentials. Or worse.
A few more observations
Clicking on links to what looks like a pirate site is risky business. The click itself can deliver malware. It’s important to recognize that and not, if one cares about such things, conflate the apparent purpose of a link with it’s actual purpose. I would suggest, though, that no one should be saying, well, they got what they deserved for trying to steal books. The last thing any author should want is readers who think books = malware.
Because epub3 and other book formats allow javascript, I would expect that the book as (more) sophisticated malware delivery method is only a matter of time. Someone, at some point, is going to deliberately do what Benjamin Messler did in order to prove to Amazon that they had a vulnerability.
Any developer worth his or her salt can extrapolate out to sneakier things to do. I suspect Amazon, Apple, and Google can secure their vendor environments. I’m not so sure about Barnes & Noble since they can’t even be bothered to take care of their Warrior Cat problem. Kobo seems to care more, so I’ll put them on the vendors who are careful list until they prove otherwise.
My point, really, is if you’re pirating, be suspicious. If you’re an author, well, not all those links are actual instances of pirated books, and you shouldn’t be clicking either.
I know I’m a bit one-sided on this one, but in terms of:
“My point, really, is if you’re pirating, be suspicious”?
How about… If you’re pirating, STOP.
I appreciate that this is a site for readers, not authors, but it’s still a bit off-putting to read a ‘how to pirate more safely’ article here. It seems like one more step toward normalizing an activity that’s illegal and that hurts authors. I understand that not all ‘pirate’ sites are really offering my books for free, and that not all downloads are lost sales. But the more normalized this activity becomes, the more sales WILL be lost, and I don’t think that’s good for authors, OR for the readers who pay for the books they read.
I’m not hysterical about piracy. I know some of it’s going to happen. But this article makes it feel as if Dear Author is, if not endorsing the practice, then at least turning a blind eye to its harms. That worries me.
Piracy will happen, like it or not. I am against it, but I fix computers for a living and the lack of sense when doing this ruins machines when the malware gets on. Losing your info online is one thing, losing everything on the hard drive due to crypto is something else.
I would rather someone be knowledgable with how to protect themselves then to try to get anything and get hacked.
Your xkcd link is broken. Goes to a site called kxcd.com. I hope there’s no malware there… ;)
Honestly, I just don’t understand pirating. Granted I don’t buy every book I read (I get free review copies, I check some things out from the library), but 1) I’m too afraid to pirate anything for this (or similar) reasons. You don’t know what you’re downloading, to be honest. And 2) Why wouldn’t I want to support the authors that have created the stories that entertain me so greatly.
It’s just not for me.
Also, I consider myself reasonable technologically inclined and I didn’t understand 60% of this article….I mean, I got the gist of it, but the finer points and the jokes? Nope, not at all. :P
I didn’t think this was really about pirating or trying to download pirated books. I mean if you’re clicking on a book link at Amazon (or Kobo or whatever store) I would assume it is a legit sale link and not a pirate link. Or is that not always the case?
Then again I understood the gist of some of this, but not all the details.
“I’d make my own content, disguise it as a popular book by grabbing the Amazon feed so I can populate the metadata and links with the author name and book title, and deliver it to the user. ”
I’m having a little trouble following this. What is ‘the Amazon feed’?
Is it correct that for corrupt files from legitimate sites (Amazon, Kobo, etc.), the potential risk is when the book file is opened. Therefore if they are opened in Calibre (or another program that is aggressive about patching), the risk is reduced?
@library addict: I agree, in general what I took from this was not an instructional on how to pirate more safely, but that if one vulnerability was identified, it’s pretty safe to assume that there are others out there, and Amazon and other sites are not being aggressive about preventing and/or patching them. Therefore readers, even those purchasing from legitimate sites, must stay aware of emerging problems and be aggressive about protecting themselves. (Cue link to the article about back ups.)
@Janet: Agreed. If you are pirating, you need to educate yourself about what’s safe and what could cause your entire hard-drive to crash. Don’t click on random google links would be the first step (and is just general good internet advice for anybody).
I’m a little confused on how this is supposed to work. The books I’ve gotten from elsewhere (Project Gutenberg and ARCs, not pirated) don’t show up under “Manage Your Content and Devices.”
@Angela: I don’t pirate anything myself, but in some cases people do so because of lack of access to content (geo restrictions of various types) rather than a desire to avoid paying for content.
I don’t pirate books. I get them from Amazon, Kobo, ARE and other smaller publishers directly. Can I assume I’m safe from this hack?
@Kim W: I’d like to think so, but just as it isn’t true that “you can’t con an honest person”, it’s also not true that “you can’t hack a careful person.”
Theoretically, I don’t see why (except for my lack of coding skills) I couldn’t create such a MalBook, call it something enticing like “Fifty Shapes of WereDukes”, photoshop a pretty cover, and offer it as a .01 cent “promotion” on KU (or SmashWords, or any other pub-it-yourself site).
My victims might be guilty of poor taste, but nothing more foolish or criminal than that.
Sadly, as I teach in my “Intro to the Internet” classes, NOBODY and NOTHING is truly safe or private online. All you can do is minimize your risk.
@library addict: That’s my question as well.
Thanks for this informative article. I’m sending it to my husband, because he will get the jokes. ;-)
Lostshadows, I’m assuming that the pirate sites offer a “send to your kindle” option, just as legit sites do. Hmmm, I wonder if there’s any chance of Overdrive library books being affected?
People shouldn’t assume that everyone knows how to identify a pirate site as such. I’m always fielding questions from friends and family about ebooks, ereaders and such, and they know *nothing*. People seeing what seems like a good deal on a book may have no idea at all that they’re technically pirating.
According to the second linked article:
“Users who stick to e-books sold and delivered by Amazon should be safe, unless there’s another oversight on Amazon’s part.”
@Kate Sherwood:
The fact is there are many readers who have no legal means of obtaining books. Their options are pirate or no book.
This article is not about “here’s how to pirate safely.” If it were it would be a completely different article and say and suggest completely different things.
@IAM JSON: @IAM JSON: Like, they can’t get books AT ALL? Or they just can’t get the books they want?
@Janet:
OK, but this isn’t about “safe pirating” this is about the book itself as a malware delivery device.
[Edited to add: most of this reply is more general in nature, and not specifically engaging with your comment. You just gave me a convenient place to say this.]
I will represent to you all that I know for a fact that authors routinely click on those “pirate” links and broadcast the links to other authors thus distributing the malware love.
Is anyone here actually suggesting that we shouldn’t be pointing out that there are lots of sites out there offering books as bait for malware? How is that an endorsement of piracy?
A safer internet is a public good. I cannot endorse a view in which we identify who “deserved” to get malware and who didn’t.
@Angela:
There are readers who are unable to legally buy books where they live. Just like Game of Thrones is hugely pirated in all the places where HBO does not offer a legal means of watching.
@library addict:
The vulnerability was at the “Manage my Device Page” and was seen in the case of readers who sent a book that they did NOT purchase through Amazon. They would have obtained it from a third party site and then Sent to Kindle such that the book (with it’s malicious title) appears in the list of documents sent.
The Messler article has screen shots showing what his Amazon page looked like with such a book delivered to his account in this manner. You can see the javascript (which would also be easy enough to disguise as a legitimate title.)
@Ros: Fixed the link. Thanks. Dang dyslexia. Sometimes no matter how hard I stare at letters and numbers I can’t be sure I got them in the right order.
@Liz H.:
Amazon has a API (Application Programming Interface) that contains data programmers are free to use in order to develop applications that hook into or enhance Amazon products.
So, I could build an application that allows a user to see a list of all the best-selling romances as of a certain date, along with buy links. The API would allow me to get just that data, which I could then wrap in my own interface and provide to users.
So, if I were building this bit of malware, I’d grab that data from the API and voila! I can generate a webpage that lists a “real” title and author name with a link that delivers my MalBookWare.
@Lostshadows:
Did you use the send to Kindle feature/applications to get them onto your device? It’s possible, depending on your device, that if you sideload and never synch to the cloud you would not see the title listed at Manage my Device.
Personally, I would not be comfortable assuming that the user is therefore safe. It’s not too hard to imagine the ways a malicious book title (or other such metadata) could be executed — but I say that without knowing the specifics of the Kindle rendering engine. There could be lots of things in the engine that prevent that. Or, you know, not.
@Liz H.:
No. For this specific vulnerability, the problem was at the Mange my Devices page — you would have had to synch the content to the cloud such that the book appeared in your list of “other files you sent to your device.”
However, Messler also demonstrated that Calibre was vulnerable.
In this case, any mechanism that displays the book’s title from the field that contains the javascript as a clickable link would be vulnerable.
I don’t believe Kobo or Nook provide a similar functionality. Whether iBooks would be similarly vulnerable I can’t say. If it’s possible to view a list of one’s purchased iBooks from the cloud (as opposed to viewing from within a device) then, it’s conceivable, assuming a user could get third party ePubs onto that list.
@Kim W: I wouldn’t assume anything. But I would say you are somewhat safer than someone who has obtained a file from an unsafe site.
Caution is always appropriate. People are devious.
@Kate Sherwood:
Both. Obviously people who have no ability to get any eBook at all are SOL at every level. People who have the ability/devices to read a book but can’t get the books they want are the ones most often left with the pirate or no reading choice for a given title.
One eBook isn’t the same as any other book. Someone who is a fan of Nora Roberts and who wants to read her next book isn’t going to be satisfied with a non-Nora book. Just as someone who wants to see the next episode of Game of Thrones won’t be satisfied watching Batman Returns instead.
@IAM JSON: Yeah, I can understand that motivation for piracy. For me, though, really wanting to read a certain book isn’t enough to justify pirating that book.
I realize there’s a significant group of people who disagree with me about this, as well as a significant group of people on my ‘side’. I don’t think either group is likely to change the minds of the other group.
I do feel that it’s worth continuing to discuss the issue, though, mostly because I think there’s a large group of people somewhere in the middle of the debate who haven’t really decided one way or another yet, and I think it’s important to make it clear to them that pirating ISN’T something everyone does, and it IS something that bothers a lot of authors.
And my comment above about being disappointed to see this post at Dear Author was because I expect a lot of readers here are in the middle group, and I don’t think it’s right for them to walk away from the post thinking that piracy is just a fact of life and the most important thing about it is learning to do it safely.
@Kate Sherwood: If a reader has no other way to obtain a book, can you really blame her for turning to piracy? I’m not talking “too expensive” but literally unavailable. It’s very easy to say that this is wrong when one has access to ebooks, easy delivery and great libraries and stores. Not everyone is so fortunate.
The discussion shouldn’t be whether piracy is bad – as a general rule, it is – but on what can be done to reduce it. Making content easier to access and purchase would be a positive step in this regard.
@Kate Sherwood:
I really enjoy buying book. I want the authors I like to be able to eat, feed their cats, pay their rent and otherwise keep their lives sane enough so that they have the wherewithal to write more books. So I can buy them. (You see how this works?)
I have some legal and ethical concerns about DRM, especially DRM that consolidates sales and distribution of ebooks under a single entity. But on a practical level, ebooks offer enough advantages that I’m willing to work around that (and I don’t buy ebooks from Amazon, with the exception of one serial). I could on about this all for a while, but it’s not really the point.
What is the point? My favorite ebook reader, FBReader on my phone, does perfectly lovely text to speech. (Yes, yes, the robo voice takes a little getting used to.) This means my phone can read me non-DRM’d ebooks. I have very little time to read with my eyes these days. OTOH, between solitary martial arts practice, my commute, housework, the more routine benchwork and the like, there is a lot of time I can listen to books if my eyes are not required for the process. Otherwise, seriously, it’s a couple of pages before before I pass out each night. For a bit there, I was getting almost no fiction in. It was tragic.
None of the proprietary reader apps offer similar TTS functionality. And note, while this is a matter of convenience and scheduling for me, it’s one of accessibility for many people.
For publishers who are kind enough to sell non-DRM’d books, hey, it’s simple. Otherwise, well, I buy legal copies, as I’ve already mentioned, and then if I want to read them in the fashion that best suits me, my options are to forego those books, piracy or cracking. (Neither of which is particularly difficult, though software engineering used to be my day job, before I returned to research.)
So, while I understand your fears of lost sales (data as to whether sales are actually being lost is mixed) I just want to chime in as an incredibly frustrated pirate/hacker. I would be *delighted* to be able to buy more ebooks that I could use as I like. I am not happy with my current compromise. I pay for books. I’d kind of like to be able to own them, y’know?
@Catherine Kehl:
Catherine: you might want to take a look at VoiceDream. This is an eBook reader that includes Voice recognition, with the ability to purchase and download very high quality voices for a modest sum. It will read Word docs, ePubs and other text. It also synchs with services like dropbox. Although this app is designed first for people with vision impairments, it’s a nifty tool for others as well.
This isn’t a substitute for an audio book with professional narration at all. You don’t get any of the acting and inflection that make an audio book a completely different experience.
What is the BN Warrior Cats problem?
@Rose: Well, for me, it comes down to the inability to obtain “a” book.
If someone is legitimately unable to obtain books of any sort in a readable/usable format for them, I am chock-full of sympathy. I mean it. I love reading and it’s an important part of my life and there would be a big hole in my day if I couldn’t read/listen to/otherwise enjoy books.
But if someone is just unable to obtain the exact book they want? For me… that would be frustrating. I get it. (I’m Canadian, and have access to a lot of US advertising of products that aren’t available in my country – believe me, I get it!). But, no, for me, it’s not a justification for piracy. As I said above, I appreciate that other people disagree with me on that, and maybe I’m just too much of a law-and-order girl and/or biased because of being an author, but… no. For me, I think it’s wrong. Not a mortal sin, but not right, either.
@CatherineKiehl – to me, that’s a different issue. You HAVE paid for the book, and are using tools that resemble piracy in order to access the book. I guess maybe you should be buying the audio-book versions, but other than that, I don’t have a problem with people buying books and then using whatever tools are necessary to make those books accessible to them.
I’m sorry if I’m turning this into ‘Kate’s Opinions on Piracy – You Should Care’. I don’t want to ignore comments directed at me, but I also don’t want to present myself as some sort of moral authority on the issue. I know what I believe, and what’s right for me. What’s right for others in different circumstances? I can’t say. I can just hope that people do think about what they’re downloading and from where, and not just because they don’t want to pick up something dirty.
@IAM JSON:
It appears it doesn’t deal with DRM any better, though? I might take a look at it at some point, but other than the DRM issues, I’m pretty happy with the tools I have.
I actually use a few tools other than FBReader. It’s just my favorite, and I didn’t want to confuse the point. (And FBReader is generically my favorite ebook reader.) FBReader through Android leverages the Android TTS system, so I can use it with any of the voices available there. I generally do not use it with one of the fancier ones, though, since part of what I do is speed it up a great deal, and many of the “higher quality” voices don’t speed up to that extent well at all.
@Kate Sherwood: “I guess maybe you should be buying the audio-book versions…”
Really, what I’m doing is pretty different than an audiobook. If I wanted a book read and performed, I’d go for an audiobook. I can enjoy that, but I generally find them a little distracting (I could probably get used to it) and *way too slow*. The subjective experience is much more like the reading of text. I set my readers to read me the books very fast – not quite as fast as I can read with my eyes, but a substantial fraction thereof. People who aren’t used to working with TTS readers usually find this horrifying*, though I’ve heard that other folks who use them a lot often do the same thing.
I started playing around with this on behalf of a friend of mine, who managed a crazy upper management job while being very dyslexic and who almost never gets to read for pleasure at all. I didn’t realize at the time that I’d start using it myself, but it’s really enriched my life quite incredibly.
* It’s not actually that bad – it took me a couple of short stories to get used to the robo voice, and then I started speeding up the reader fairly quickly.
@Catherine Kehl: My favourite thing about the Audible app for my phone is that it speeds up the voices. Generally I just go to 1.25x speed, but there are narrators who seem to need 1.5x.
How fast are you going?
@Kate Sherwood: I’m at 3-4x the default rate, I think, but then, this is TTS, not a natural speaker. When speeding up lectures, 1.5-1.75 has usually been okay – though it depends on the speaker. (And on what I’m doing other than listening.)
@Lostshadows:
The “Manage Your Content and Devices” page separates your ebooks, documents etc. into different categories. These categories can be accessed through the “Show: ” drop-down menu, just below the “Your Content” tab. Books purchased directly from Amazon can usually be found in the “Books” category, which is the default, while documents sent to your Send-to-Kindle email address should end up in “Docs”. However, if they haven’t been delivered to your Kindle yet, they will remain in the “Pending Deliveries” category until you synchronize your Kindle.
@Catherine Kehl: This is why I make my books available for sale on my own website. A lot of my early fans are overseas (hi, Estara and Edie!) and were happy to be able to buy my books hassle- and DRM-free. They started reading me *because* my books are so accessible.
@Moriah Jovan: I am a lot more likely to buy books if they don’t have DRM, whether it’s trying new authors, or buying older books from authors I’ve enjoyed before, or what have you.
There are in fact legal precedent protecting some of the medium shifting for personal use that I do. But it’s also very clear that for me, the existence of DRM has served to normalize piracy. I am taking part in pirate ecosystems more than I would like to, or at least in ways I would prefer not to.* And it would be really, really easy to do so more. (Heck, I just reworked a script to work under linux, and, coming from the open source world, there is nothing more natural than to turn around and share my code with the world. I have not. Yet. And yet, it’s hard to be completely opposed to sharing with pirates when hey, they share with me.)
* Note, I’m a free and open source software advocate and linux geek (after many years of working at Microsoft before returning to research.) My relationship with the pirate / hacking (I will forego the discussion of the breadth covered by the term hacking) community is complex, but I’m generally pretty darned white hat.
@Moriah Jovan: …and someday, heavens only knows when, unless someone else gets to it first (and I hope they do) I’m going to put together a community project which is an index of legal non-DRM’d books, whether free or for sale. So that for those of us that really care, there’s a centralized place to go looking for some good DRM-free fic.
Because between author websites and a lot of wonderful small presses, there’s a lot of it out there – but there isn’t a good centralized way of finding it.
@pooks:
There was an online role playing came for Warrior Cats and players were using B&N reviews to have conversations with each other about their role playing. These “reviews” came with star ratings that had nothing to do with someone having read the book. Certain books were thus unfairly upranked or downranked in the reader ratings because of those bogus star ratings from role players in the comments. It does like as if B&N has cleaned that up.
@Benjamin Daniel Mussler:
Sorry for mangling your last name. I’ve corrected that in the post. And thank you for stopping by!
I agree with Ros. If pirating ebooks “bothers authors” then “inaccesibility really bothers a lot of readers” so why don’t you all fix that ? or lead the way to making your work more accessible. I don’t see how this post endorsed anything other than best practices for internet safety.
@Rose:
That’s a good point, and one I hadn’t thought of. I do actually understand that – and it’s far more of a problem than I think most of us (in the US at least) really realize.
@Kate Sherwood: I don’t understand how you can make this argument:
Basically what you’re arguing is that books are interchangeable and so long as a reader can buy some, that’s what she should do, and read whatever is available. So if she wants to read romances, but can’t, she can just make do with a gardening manual? That makes no sense. If a publisher and/or an author choose not to make certain books available to certain readers, they shouldn’t be surprised if those readers find alternate means of getting said books. An author should absolutely be paid for her work – but authors and publishers need to make sure that readers are given the opportunity to do so.
In Canada you might not be able to get US promo deals, but you don’t have the sort of restricted access to books that many readers in other places do.
I read an interesting piece a couple of weeks ago about piracy on KJ Charles’ blog – the comments were very interesting. Here’s a link in case anyone would like to check it out: http://kjcharleswriter.wordpress.com/2014/08/25/yo-ho-here-we-go-again-piracy-and-who-pays-when/
My own view of piracy is that it’s a cost of doing business. But if you make your product easily available for a reasonable price, most people will be happy to obtain it legally (this is exemplified by the game site Steam, which does exactly that). Some people are gonna pirate no matter what. And not every instance of piracy equals a lost sale. Just like a restaurant factors in wastage and a china shop factors in breakage to their operating costs, so is piracy to publishing IMO. That’s not an endorsement. I just don’t think it’s going way.
I don’t think this post is an endorsement of piracy at all. If anything, it’s a warning to authors who follow links to track down pirates to be careful where they’re going, as well as a good addendum to internet safety for readers. AND, it’s offering ANOTHER good reason not to engage in the practice.
@willaful: “People shouldn’t assume that everyone knows how to identify a pirate site as such. I’m always fielding questions from friends and family about ebooks, ereaders and such, and they know *nothing*. People seeing what seems like a good deal on a book may have no idea at all that they’re technically pirating.”
I don’t think this can be overstated. The average person is not as knowledgeable about publishing or about ebook technology as regulars at book discussion sites.
@MaryK: And even for those of us who are regulars, it’s not always obvious. There’s at least one legit site that my publisher distributes to which authors are always reporting to the publisher because it looks like a pirate site.
@Moriah Jovan: Hi, Moriah. I agree with preferring to buy directly at the maker. I also like buying Book View Cafe books directly at their website more than at Smashwords or Amazon.
@IAM JSON: Thanks for that clarification. It seems to have taken a long time. My own granddaughter loves Warrior Cats and has written in that fandom since she was 8 or 9 years old on the publisher’s site. I wonder if this was involved. Better check it out and talk to her, just in case it was something she was doing.
@IAM JSON:
Evidently BN hasn’t cleaned it up. A friend sent me a link to her book with the suggestive sexual comments in reviews, still there.
There was recently a witch hunt on my Facebook feed because some authors identified people who were pirating their books, then went after them and everyone who was friends with them, as well as anyone in any groups they were in (they were also posting these lists, including full names, on their pages saying how awful these people were and encouraging fans to give them hell). Except the original proof that people were pirating them was never disclosed. There were hundreds of people on the “known associates” list and it was like wait, what is going on here?
It was really unpleasant to see. I’m not a fan of piracy — I make video games for a living, trust me, I know all about it (and particularly enjoy the stuff we seed into leaked copies that do things like lock all doors on a level, or switch the in-game language to Hungarian after 5 minutes, or give all the enemies 1 million health and the players 1…) but I would never dream of going after people like that, in public, and have huge problems with doxxing in general. I don’t think two wrongs make a right and I’ve been really uncomfortable with how some authors handled themselves and their fanbases, especially after seeing the things that Anne Rice and others have pulled.
Anyhow, I appreciate this post as a “Hey guess what ELSE we managed to put viruses in!” because really, it’s impressive what people do. Folks believe a lot of weird things about the internet, including “Macs don’t get viruses!” and it’s like uh, folks, if it exists, someone will find a way to put advertising on it or steal your credit card info with it. Just wait. Next VR goggles will be stealing our retina patterns.
@pooks: Well, darn. I’m so sorry for your friend. B&N should be ashamed.
@Lindsay:
When I get my Oculus Rift, I’m keeping my eyes closed.
OK, not, but yeah. I hear you.
@MaryK:
As you point out, yes. Very much so. My mother is elderly. She has a Kindle. I can easily imagine her accidentally ending up at a suspect site and having not one single clue.
It’s just incorrect to believe that everyone at a “pirate” site got there because they actually do want to steal. Some people do. No question.
But are we willing to punish the innocent to make sure we punish the highest number of those who are not? That’s not a tradeoff I’m comfortable with. Why, how, and when, people end up at a site that offers (or doesn’t really offer) pirated files is, as this thread shows, considerably more nuanced than “everyone who goes there is a criminal per se.”
I get that some people want a world where people obey the rules at all times, no matter the cost. But that is not the world we live in and it won’t ever be.
You all can enjoy yet another “piracy is bad” circle jerk, but I’d like to drop some science into this thread.
The whole “don’t download pirated kindle books” is almost a moot point. Most pirated material is either epub or mobi because most people who download pirated material or produce torrents only use those two formats. Having all this hoopla about piracy and Kindle books having malicious code (which, btw, if you wanted to know, end in the format name .azw) is kind of silly. Sure, theoretically you could get malware in epub or mobi formats, but I haven’t seen it happen yet. I’d be more wary and worried about clicking on malware from click on a crappy website than getting malware from pirated books.
You can bash away at me now, but I won’t be reading it. Just wanted to FYI.
@Pirate with the 411:
Dear 411: My post was agnostic about piracy. You may have noticed that there were varied interpretations, with some who felt that the post was “how to pirate safely” and others who disagreed with that. There are comments here that point out some of the reasons users might have to pirate. So, I’m not sure where you’re getting the circle jerk. Dissenting opinions, and there were those in this comment thread, are the opposite of a circle jerk.
Maybe you missed the part where Messler posted a working demonstration. At Amazon. So, I’m thinking you have missed the point about zero-day security flaws. It was not theoretical at that point.
I am well aware that Amazon internally converts their files to azw format. I don’t see how that is relevant to any issue in this thread. My point was that readers who, for whatever reason, are loading mobis onto their devices that they did not purchase from Amazon could be vulnerable to a flaw that Amazon did not promptly fix either time it was in their environment.
I do agree that people are far more at risk from other websites and emails. Kind of obvious.