Get hooked up with AT&T ConnecTech
A security hole in Adobe Systems software, used to distribute movies and TV shows over the Internet, is giving users free access to record and copy from Amazon.com's video streaming service.
The problem exposes online video content to the rampant piracy that plagued the music industry during the Napster era and is undermining efforts by retailers, movie studios and television networks to cash in on a huge Web audience.
"It's a fundamental flaw in the Adobe design. This was designed stupidly," said Bruce Schneier, a security expert who is also the chief security technology officer at British Telecom.
The flaw rests in Adobe's Flash video servers that are connected to the company's players installed in nearly all of the world's Web-connected computers.
The software doesn't encrypt online content, but only orders sent to a video player such as start and stop play. To boost download speeds, Adobe dropped a stringent security feature that protects the connection between the Adobe software and its players.
"Adobe is committed to the security of all of our products, from our players to our server software. Adobe invests a considerable amount of ongoing effort to help protect users from potential vulnerabilities," the company said in a statement.
Adobe said it issued a security bulletin earlier this month about how best to protect online content and called on its customers to couple its software security with a feature that verifies the validity of its video player.
An Amazon representative said content on the company's Video On Demand service, which offers as many as 40,000 movies and TV shows on its Web site, cannot be pirated using video stream catching software.
However, in tests by Reuters, at least one program to record online video, the Replay Media Catcher from Applian Technologies, recorded movies from Amazon and other sites that use Adobe's encryption technology together with its video player verification.
"Adobe's (stream) is not really encrypted," said Applian CEO Bill Dettering. "One of the downfalls with how they have architected the software is that people can capture the streams. I fully expect them to do something more robust in the near future."
How it works
The free demo version of Replay Media Catcher allows anyone to watch 75 percent of anything recorded and 100 percent of YouTube videos. For $39, a user can watch everything recorded.
One Web site--TVadfree.com--explains step-by-step how to use the video stream catching software.
Amazon's Adobe-powered Video On Demand service allows viewers to watch the first two minutes of a movie or TV show for free. It charges up to $3.99 to rent a movie for 24 hours and up to $14.99 to download a movie permanently.
Amazon starts to stream the entire movie during the free preview--even though it pauses the video on the Web browser after the first two minutes--so that users can start watching the rest of the video right away once they pay.
"It's the traditional trade-off, convenience on the one hand and security on the other," said Ray Valdes, analyst at research group Gartner.
However, even if a user doesn't pay, the stream still sends the movie to the video catching software, but not the browser.
Amazon's Video On Demand is the Web retailer's answer to declining sales of packaged movies and TV shows and the growth in demand for digital content that can be viewed and stored on the Internet.
Unlike Amazon, videos from Hulu.com, NBC.com and CBS.com are already free although the TV programs are interrupted by commercials. However, the stream catching software separates the commercials and the program into two separate folders, so people can keep the programs without the advertising.
Hulu.com, a video Web site owned by News Corp.'s Fox network and General Electric's NBC Universal, was the big networks' answer to YouTube, the popular video-sharing Web site where many users began uploading TV shows and other content owned by media companies.
The networks scrambled to post videos on their own sites in a bid to capture another stream of advertising revenue from a growing audience, but they have struggled with how best to show commercials which fund the programming when played on the Web.
YouTube, which started the online video boom before being bought by Google for $1.65 billion in November 2006, has also struggled to cash in on its popularity even though its user base continues to mushroom.
Destroying business models
One possible solution would be to protect the video with a digital rights management (DRM) system. A Seattle-based company called Widevine Technologies has a DRM system that can encrypt online videos using Flash.
"The fundamental problem here is that Adobe's lack of technology is not allowing the business models to be preserved," said Widevine Chief Executive Brian Baker.
The lack of content protection, according to Baker, threatens all the business models used today to fund video on the Web.
Apple, which sells movies and television shows at its online iTunes store, uses its own DRM technology called FairPlay, but it only works for video bought on iTunes.
Forrester analyst James McQuivey said he doesn't believe the video stream catching technology will entirely derail the advertising-supported business model used by the networks for online video.
"It's too complicated for most users," said McQuivey, noting that file-sharing services like BitTorrent already exist but only a small percentage of people use them.
"People want something easy to find and easy to use."
Story Copyright © 2008 Reuters Limited. All rights reserved.
If he read the Security Advisory issued by Adobe earlier this month and the TechNote that was linked to the advisory, he would have read that the way some stream catching sofware works, is by making an unencrypted RTMP connection but faking the uri to appear as if it was an RTMPE connection. So if you take the proper measures to only allow RTMPE (and not by checking the protocol in the uri which is as they say, spoofable), then the stream catchers will not be able to play an enencrypted stream.
Seems like these guys should have did some homework before making statements about how "stupid" something is, or understand how something works before publishing their own wild ass guesses as to how something works.
A business model can not be "derailed" by a few clever hackers - those who are into getting their content for free will not want FLASH files, but will download AVI files ripped from DVDs at much better image quality.
The real story - something entirely missed by the CNET experts for years - is that to date there is no easy way for most consumers to connect a Mac or a PC to their new flat-screen TV at full image quality, using the full screen resolution. Where is the SVGA or DVI-D to Component Video or HDMI connection that actually works instead of getting blotchy color, image in a black box or cut-off menus ? as is currently the case with 95% of TVs on the market? That's the #1 barrier to the evolution of digital, computer-based entertainment systems and content delivery services - being deliberately derailed by the collusion of CE and content industries. Please investigate and report on this very real issue.
I usually don't watch a given episode or movie more than once or twice so downloading them in any form is just a waste of hard drive space for me.
A lot of sites are using HTTP to stream, though Hulu does use RTMP. I suspect if they start using encryption we'll see rippers that just take it from the flash players buffer in memory.
But, more broadly ...
This is just one more example of how sloppy Adobe is on quality and security. Adobe has consitently been putting their own bottom line ahead of the quality and security needs of their customers. This time, the impacted customer is a big one (Amazon), so maybe this will lead to some real change. Before this, it could be argued that the easiest way to penetrate a computer is through Adobe software. Now, also it may be said that the easiest way to subvert DRM is through Adobe software. Is it that Adobe engineers are incompetent, or is it that executive leadership is incompetent? Or, are the flaws a deliberate means to drive a de-facto software rental model that cynically exploits customer naivete by leading customers to purchase the next version in the hopes that it will have less problems?
In one sense, they are the Washington Mutual of High Tech: screwing their own future, and that of their customers, in the relentless pursuit of a better quarterly result.
Can anyone really say that they need the next version of any of Adobe's products for any reason other than the correction of flaws, or for future OS compatibility? I for one don't really want to pay hundreds or thousands of dollars for some bug fixes, and some more OS shiming, a few unnecessary new features, and, undoubtedly a fresh batch of bugs.
I think Adobe would be better off with Rube Goldberg as CEO ....
I'm not sure how you can really bash Adobe on security. What sort of justification do you have for your statement "This is just one more example of how sloppy Adobe is on quality and security. Adobe has consitently been putting their own bottom line ahead of the quality and security needs of their customers."?
By request, examples of where Adobe is the weakest link:
1. A hacker contest held quite a while back ... the easy way into the target system was the Flash Player. Search news.com for the story.
2. The Acrobat security holes that hit earlier this year. Then, they patched only Acrobat 8, leaving Acrobat <8 vulnerable. Brilliant. They did ultimately get the point and fix it all.
But my biggest beef is not whether there are security holes. All products have them, or will have them. My problem with this whole article is how incorrect it is factually, and the fact that the author can write such a thing without checking his facts. This is not journalism. And while he has updated the story,
http://www.reuters.com/article/marketsNews/idINN2928873020080930?rpc=44
the damage is done, and people's reputations are affected, and Adobe are left cleaning up a mess that, in this particular case, should never have happened. That's not to say there won't be a serious security flaw found in the future. But there is none here. And had he checked the facts before hand, he would have found that to be the case. But this makes for a much better headline and read.
Here's another bloggers comments which pretty much sum up my thoughts as well,
http://www.thedrmblog.com/
this easy ripping technology has been out since 1998.
this easy ripping technology has been out since 1998.
But it sure makes for a good headline and attention grabber, doesn't it? Will be interesting to see if he is held accountable for writing such rubbish without checking his facts.
I did notice that reuters di come up with an update to the article after Adobe fixed the hole so you have to give them credit...
But it looks like they did not fix it completely and now they are being attacked by frame buffer grabbers.
While no longer free the $14.99 downloads only cost you $3.99 :-)
Also I like the way you can what content without advertising see www.tvadfree.com
And Adobe did not fix anything. There was nothing to fix. The CDN's were not preventing RTMP connections (and only allowing RTMPE) properly; they either didn't have the checks in place, or they were checking based on the uri string which is Replay Media Catcher had spoofed. If you check the protocol using the API's supplied by the Flash Media Server, then Replay Media Catcher would not have been able to make the RTMP connection which is what they used to rip the stream. They are not touching the encrypted stream in anyway.
First, can we please go back to the days when Windows Media Player and Real Player were supported by the various streaming sites? For example, cbs.com used to be a great site. Now, only Flash is supported and not only does the user experience fundamentally suck, but also there is frequently some issue that makes it impossible to watch a show. Tonight, for example, whenever I try to full-screen the show, the video freezes. Please bring back players that were designed for people, rather than for Adobe's revenue stream?
Second, don't forget that one thing Adobe is doing here (though clearly not doing it well) is making fair use impossible. Sure, they are trying to stop pirates. but they are also blocking legitimate use that is. Thet are, to put it simply, now the bad guy ...
Just curious, what sort of legitimate use are you thinking of in stealing other people's content?
Another example of fair use is: suppose I have purchased a movie, and I want to make a back-up copy? It is permissible to do this, and this has been supported in case law. Further, I should not be required to use a particular vendor's technology in order to view my backup. What if the reason I require to use the backup is that I have changed my system in such a way that it is -not- supported by the Flash player and/or cannot connect to the content provider's Flash Media Server?
To put it more simply: if I want to throw out my VCR, it is legitimate for me to capture all of my VHS movies to my computer. I am protected by the fair use doctrine in doing exactly this, so long as I do not, at the same time, sell all my VHS movies or otherwise make them available to others. That is a simple fact. And, Adobe is making this kind of reasonable behavior impossible.
It's not the first time that a lazy attempt at "security" leaves content exposed to someone willing to take a few extra steps. Flickr tries to mask certain photos from being savable by visitors by overlaying them with a transparent GIF file, but you can still View Source and find the main image URL to grab.
What's lost in all this discussion is that the article was basically incorrect in everything it reports. Now there is all this talk about Adobe don't know what they're doing, etc. Maybe they don't. But I think it would be better to debate based on the facts than on fiction, which is what this article is.
I think what Adobe is saying is that Reuters uncovered a security flaw in the Adobe/Amazon solution.
I think they have also shown that RTMPE is not an adquete subsitute for a proper content secutity solution. Link level protocol scrambling is only part of the need. Also it has shown that RTMPE is a tool that is subject to human error and misconfiguration.
Since Adobe states in thier documentation that RTMPE does not perform a key exchange, this means that the keys must either be embeded in the Adobe client or it is not really encryption but instead may be just obfuscation or mutation. None meet the robustness requirements for key management and key generation that are typcally found in the major motion picture security guidelines.
In the digital media space where content passes through many hands and networks it is important to have perisitent encryption from the point of encoding to consumption. With persistent then any streaming, P2P or PDL server could be used.
Additionally the Flash Player does not have protections post the decryption function which is why the newer tools (WM Capture) mentioned by Reuter's Update 1 seem to still be effective.
It appears that Amazon/Adobe have only moved the attack points both up and downstream a little bit.
I think a proper DRM is in order here to protect all the VOD distributers reveune streams.
Widevine offers a technology that protects the content before after decryption from recorders called Cypher DCP or Cypher Digital Copy Protection.
http://www.widevine.com/internet_digital_media.html
for a demo see http://www.widevine.com/digitalmedia/demo/demo_16_high_noloop.swf
Any security model depends of the end user being trusted - just like any online banking or other e-commerce website. Once the video is being displayed on the screen, it can be stripped from the video buffer of the graphics card and the audio buffer of the sound card, albeit any kind of security software being used. The MPAA and RIAA has been aware of this since the dawn of the internet, and have already learned their lesson - a best effort option can only rely on the legality of the software player, and if in violation - corrective civil law will run its course. fin.
But you are correct, there are many layers to solving the problem both technology and legal.
First you must put copy protection in place and then you can take legal action if someone circumvents the copy protections.
The basic problem in the Adobe case is that the copy protection in RTMPE is just protecting the link between the server and the player. So in the player and after the player there is NO copy protection being circomvented by the screen recorders. However if you add something like Cypher DCP and you circumvent DCP then Amazon and the studios could take legal action.
Someday, we as a people will come to understand that trying to patent a particular type of brush stroke, or trademark a common word in any language, or license the use of a particular thought , is a ridiculous notion. Of course if the powers that be are left unchecked, who is to say that someday for a small fee we will have the ability to watch an amazing and enlightening spectacle, only to have it expire from our minds the following day...
-
by WidevineGlenn
October 1, 2008 7:47 AM PDT
- Actualy the Widevine Cypher DCP software prevents grabbing from the video and audio buffers.
-
Reply to this comment
-
See all 26 Comments >>But you are correct, there are many layers to solving the problem both technology and legal.
First you must put copy protection in place and then you can take legal action if someone circumvents the copy protections.
The basic problem in the Adobe case is that the copy protection in RTMPE is just protecting the link between the server and the player. So in the player and after the player there is NO copy protection being circomvented by the screen recorders. However if you add something like Cypher DCP and you circumvent DCP then Amazon and the studios could take legal action.