[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnash-dev] "Hole in Adobe software allows free movie downloads"

From: John Gilmore
Subject: [Gnash-dev] "Hole in Adobe software allows free movie downloads"
Date: Sun, 28 Sep 2008 22:06:40 -0700

Amazon seems to be using RTMP and only encrypting the upstream
half of the connection.

  Adobe said it issued a security bulletin earlier this month about
  how best to protect online content and called on its customers to
  couple its software security with a feature that verifies the
  validity of its video player.

  An Amazon spokesman said content on the company's Video On Demand
  service, which offers as many as 40,000 movies and TV shows on its
  Web site, cannot be pirated using video stream catching software.

  However, in tests by Reuters, at least one program to record online
  video, the Replay Media Catcher from Applian Technologies, recorded
  movies from Amazon and other sites that use Adobe's encryption
  technology together with its video player verification.

Does Gnash work with the Amazon video site yet?

Here is the Security Bulletin APSA08-06 (Sept 2, 2008):
  "Content Protection in Flash Media Server"

  Release date: September 2, 2008

  Vulnerability identifier: APSA08-06
  CVE number: N/A
  Platform: All platforms
  Affected Software: Flash Media Server 3.0

  Adobe is aware that third-party vendors have produced software to
  capture and archive video delivered via Flash Media Server
  3.0. Customers using Flash Media Server 3.0 are advised that they can
  utilize RTMPE or RTMPTE (the tunneled version) combined with SWF
  Verification to provide maximum content protection.  Details

  For more information on using RTMPE or RTMPTE and SWF Verification,
  Flash Media Server 3.0 customers can consult the following TechNote.

There are a lot more links to documentation of these misfeatures in
the TechNote.

The "SWFVerification" thing appears to be some kind of bizarre 
security-by-obscurity.  The theory appears to be that a rogue
application couldn't have a copy of the real .SWF file that was
downloaded from the site.  I haven't found a real description of
how it works, though.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]