[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnash-dev] "Hole in Adobe software allows free movie downloads"
From: |
John Gilmore |
Subject: |
[Gnash-dev] "Hole in Adobe software allows free movie downloads" |
Date: |
Sun, 28 Sep 2008 22:06:40 -0700 |
http://www.reuters.com/article/ousiv/idUSTRE48P88V20080926?sp=true
Amazon seems to be using RTMP and only encrypting the upstream
half of the connection.
Adobe said it issued a security bulletin earlier this month about
how best to protect online content and called on its customers to
couple its software security with a feature that verifies the
validity of its video player.
An Amazon spokesman said content on the company's Video On Demand
service, which offers as many as 40,000 movies and TV shows on its
Web site, cannot be pirated using video stream catching software.
However, in tests by Reuters, at least one program to record online
video, the Replay Media Catcher from Applian Technologies, recorded
movies from Amazon and other sites that use Adobe's encryption
technology together with its video player verification.
Does Gnash work with the Amazon video site yet?
Here is the Security Bulletin APSA08-06 (Sept 2, 2008):
http://www.adobe.com/support/security/advisories/apsa08-06.html
"Content Protection in Flash Media Server"
Release date: September 2, 2008
Vulnerability identifier: APSA08-06
CVE number: N/A
Platform: All platforms
Affected Software: Flash Media Server 3.0
Summary
Adobe is aware that third-party vendors have produced software to
capture and archive video delivered via Flash Media Server
3.0. Customers using Flash Media Server 3.0 are advised that they can
utilize RTMPE or RTMPTE (the tunneled version) combined with SWF
Verification to provide maximum content protection. Details
For more information on using RTMPE or RTMPTE and SWF Verification,
Flash Media Server 3.0 customers can consult the following TechNote.
[http://www.adobe.com/go/kb405456]
There are a lot more links to documentation of these misfeatures in
the TechNote.
The "SWFVerification" thing appears to be some kind of bizarre
security-by-obscurity. The theory appears to be that a rogue
application couldn't have a copy of the real .SWF file that was
downloaded from the site. I haven't found a real description of
how it works, though.
John
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Gnash-dev] "Hole in Adobe software allows free movie downloads",
John Gilmore <=