Aside

JHOVE 1.22 is now available from OPF.

When ebooks die

Microsoft’s eBook Store is closing. According to the announcement, “starting July 2019 your ebooks will no longer be available to read, but you’ll get a full refund for all book purchases.” This shows a basic truth about DRM book purchases: you don’t actually own your copy. You can use it only as long as the provider supports it. It was honest of Microsoft to refund all “purchases,” but digital oblivion eventually awaits all DRM-protected materials.

Andy Ihnatko once told me that DRM is safe because “Amazon will be around forever.” It won’t. The fact that a company as big and stable as Microsoft is abandoning support for its DRM-protected products reminds us that all such products exist only as long as the provider has sufficient motivation and ability. It’s questionable whether Amazon’s protected ebooks from today will be readable in 2050, let alone “forever.”
Continue reading

HTML mail is a terrible idea — but at least please do it right

Originally email consisted just of text messages. They were straightforward to read. It was very hard to send malware in a convincing way, since the recipient would have to extract any malicious attachment and run it by hand. There was a hoax in 1994 warning of the alleged “Goodtimes virus”, which caused a lot of merriment among the computer-literate. The only “virus” was the hoax email itself, which the less computer-literate forwarded to all their friends.

Then came HTML mail, a huge advance in email insecurity. Now malicious URLs could hide behind links or even be opened automatically. It could include JavaScript to exploit client weaknesses and trick recipients. Today, almost everyone recognizes these advantages, and malware and phishing by email are multi-billion-dollar businesses.

Doing it right, or not doing it at all

Even so, there are good and bad ways to create HTML mail. Continue reading

JHOVE 1.22 Release Candidate 2

JHOVE 1.22 Release Candidate 2 is available today (April 2).

An issue which was noted but isn’t fixed in this release is the handling of the command line parameters. I don’t think that code has changed significantly since I worked on it. It’s so old that it was already there when I took over the project in 2005, so don’t blame me. :) Hopefully version 1.23 will have revamped command line handling using a modern code library.

JHOVE online hack week

Open Preservation Foundation has scheduled an online hack week for JHOVE. The focus for this one will be on development. Another hack week is planned for September, focusing on documentation. JHOVE just keeps going and going, and this is a chance for volunteer Java developers to reduce its issue list.
JHOVE logo

PDF/A-4

It looks as if I’ll have a little input into the upcoming PDF/A-4 standardization process; earlier this month I got an email from the 3D PDF Consortium inviting me to participate, and I responded affirmatively. While waiting for whatever happens next, I should figure out what PDF/A-4 is all about.

ISO has a placeholder for it, where it’s also called “PDF/A-NEXT.” There’s some substantive information on PDFlib. What’s interesting right at the start is that it will build on PDF/A-2, not PDF/A-3. A lot of people in the library and archiving communities thought A-3 jumped the shark when it allowed any kind of attachments without limitation. It’s impossible to establish a document’s archival suitability if it has opaque content.
Continue reading

Files that Last: 50% off!

Read an Ebook Week I’m participating in Smashwords’ “Read an Ebook Week Sale,” from March 3 to March 9, 2019. During that time, Files that Last will be available for 50% off! Don’t miss your chance to learn about “digital preservation for everygeek” at a low price.

Path traversal bugs in archive formats

Malware has shown up which takes advantage of a path traversal bug in the WinRAR archiving utility. The bug, which reportedly existed for 19 years, is fixed in the latest version. The problem stems from an old, buggy DLL which WinRAR used. It allowed the expansion of an archive with a file that would be extracted to an absolute path rather than the destination folder. In this case, the path was the system startup folder. The next time the computer was rebooted, it would run the malware file.
Continue reading

Nothing to add

Today’s XKCD is so relevant to this blog that all I can do is link to it without further comment.


.NORM Normal File Format

What part of “No Flash” doesn’t Microsoft understand?

If you disable Flash on Microsoft Edge, Microsoft ignores your setting — but only for Facebook’s domains. It sounds too conspiratorial to be true, but a number of generally reliable websites confirm it.

Bleeping Computer: “Microsoft’s Edge web browser comes with a hidden whitelist file designed to allow Facebook to circumvent the built-in click-to-play security policy to autorun Flash content without having to ask for user consent.”

ZDNet: “Microsoft’s Edge browser contains a secret whitelist that lets Facebook run Adobe Flash code behind users’ backs. The whitelist allows Facebook Flash content to bypass Edge security features such as the click-to-play policy that normally prevents websites from running Flash code without user approval beforehand.”
Continue reading