[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnash-dev] Ars Technica: Amazon VoD video is copyable
From: |
John Gilmore |
Subject: |
[Gnash-dev] Ars Technica: Amazon VoD video is copyable |
Date: |
Tue, 30 Sep 2008 11:24:25 -0700 |
http://arstechnica.com/news.ars/post/20080929-adobe-amazon-point-fingers-over-video-ripping-exploit.html
Adobe, Amazon point fingers over video ripping exploit
By Joel Hruska | Published: September 29, 2008 - 07:10PM CT
The proliferation of online content distribution systems has meant big
business for Adobe; the company's Flash technology powers the likes of
YouTube, Amazon's Video on Demand, and Hulu. Protecting the data
streaming off these last two sites is a major concern of Big Content;
Adobe's market share is partially built on a perception that it can
offer the necessary levels of protection. That perception took a major
blow over the weekend, after an investigation proved that it was
possible to record video streaming off Amazon's Video on Demand
service, despite the company's claims to the contrary.
Reuters conducted the analysis, in which it demonstrated how at least
one media capture programReplay Media Catchercould be used to record
programs from Amazon. Ironically (or perhaps appropriately, depending
on your point of view), there's no need to actually purchase the
Amazon content one intends to record, thanks to an exploitable feature
the site includes to speed video playback. Replay Media Catcher isn't
free, but the demo version will play back 75 percent of a recording,
more than enough to verify proof of concept.
One of the features of Amazon's Video on Demand Service is that it
allows a customer to preview the first two minutes of a show. It's a
nice option for anyone skimming through a series or searching for a
specific episode, but it opens the door to the aforementioned exploit.
Amazon doesn't know if a viewer will actually buy the entire episode
or movie, but the company errs on the side of optimism and begins
streaming the full version to your hard drive anyway. Customers that
opt to purchase their current viewing selection can therefore continue
watching with no interruption, while those who don't will never know
the differencethe data isn't streamed to the browser, just the hard
drive.
It also means there's a full episode's worth of content sitting on the
hard drive, which opens the door to other possibilities. There are a
number of applications on the market that are capable of capturing
this informationReplay Media Catcher is one, Applian anotherbut
what's less clear is whose fault exactly that is. Reuters implies that
the fault lands squarely on Adobe, writing: "To boost download speeds,
Adobe dropped a stringent security feature that protects the
connection between the Adobe software and its players." According to a
recent Adobe security bulletin, however, such is not the case.
In a TechNote released on 8/29/2008, Adobe discusses the security
flaws that allow streams sent using RTMP (Real-Time Messaging
Protocol) to be captured, and advises Flash content providers on ways
to secure their streams. The company recommends two practices that can
be generally applied to all Flash content. First, SWF (Shockwave
Flash) verification should be enabled. This allows the Flash Media
Server to disconnect any SWF files it encounters that return invalid
verification bytes, and will supposedly prevent anyone from ripping
content, or at least prevent them from doing it for very long. Second,
Adobe states that stream providers should only use its RTMPE standard,
rather than RTMP. RTMPE is an encrypted protocol Adobe created to
provide SSL-like protection while incurring a smaller performance hit.
Without more information on Amazon's security measures, it seems
premature to dump all of the blame for this on Adobe. At the very
least, Amazon's decision to cache content directly to the hard drive
practically begs someone to come along and hack it; if video-on-demand
is good, free video-on-demand is surely better. If Amazon was using
the full security implementation Adobe recommends, that's one thing,
but if the company was still transmitting using the older, unencrypted
RTMP standard, that's a different story altogether. Amazon has yet to
implement a solution, but expect one sooner, rather than later.
- [Gnash-dev] Ars Technica: Amazon VoD video is copyable,
John Gilmore <=