I've been playing with face-recognition for my own amusement since you posted this reply... it's frikken fun! I'd say totally useless in a piracy situation, but damn fun to tag yourself in an image then go off and search google images for yourself - I never knew I was in so many publicly-available pictures :helpme

ok this is going on my list of things to do. doesn't look too complicated.

nope - real easy. Drop me a line if you want me to give you a hand - I've helped quite a few people already set this up and it's very inexpensive as I honestly don't aim to profit from doing this as others can attest to. But if you're handy with the command line, then following the points will get you through the whole shebang painlessly.

great stuff dude

bump... this shit needs to stay up

awesome idea as well... give them shit downloads
and quality streaming.
somethin has to be done for sure... Enough bitchin as times have changed.
The industry needs to move the business in a directn that protects content..
Let the customer follow..
If u shoot quality, then this idea will work.. Bcos they will be forced to join.
Awesome post bork :thumbsup x1000

If we follow 3 won't we be losing a lot of visitors because of browser/adobe issues?

sorry, I was off gfy for a while - no not really, since eg wowza can stream securely also to things like the iphone that doesn't support flash. Personally I've had no dealings in this, so can't write up a how-to for this side, but there are plenty of dicsussion and plugins to secure these kind of streams on wowza's forums. I support wowza myself since I've implemented a lot of services using their application, hence the wowza plug. I'd be more than willing to test out non-flash security in streams if you want to try... I've just never bothered to now since noone has shown interest in it...

Bumpage for great info!

Practically Practical
 

Hello. I'd say it is quite practical. Re-encoding the video itself wouldn't be practical but with most file formats there is a header area for meta data

My Apologies, I dont have 30 posts yet so cant do proper links.
www [dot] microsoft [dot] com/downloads/en/details.aspx?displaylang=en&FamilyID=56de5ee4-51ca-46c6-903b-97390ad14fea

If you look there is a header area where you could encode the username/IP as metadata. This should be pretty quick as it doesn't involve any reindexing of the video or any of that sort of thing. A simple file copy and edit the meta. If you have a large busy site and cant spare the resources for real time file copying there are ways around that too... ie having a pool of extra copies of files that are created during downtime and header/metadata edited real time [should be extremely quick business]

but how would that survive transcoding?

We already have this, Cop-Cms has been developed from the open source software Phash. It uses a multi threaded hasher and checker and infringes on no patents. Furthermore it can be run on very low end servers. We would be willing to let the technology into the industry to allow others to further develop it. It uses both video and audio components.

Thanks,

David

All ingenious is simple
 

how much of talk and how much advice, but definitely need a very good understanding of how to do it all and that would work and not slow down the portal

me to this helped me out

Great article! :thumbsup

Hi borked,

Great thread there, you made me post after years of lurking :)

Unfortunately it spiralled down from flv DRM to the wonders of image recognition, se lets go back for a little.

What i'm interested in is a real (that is, not yet cracked) DRM seriously stopping power users and warez scene from sharing the content online.

Few points about your suggestions:

• http progressive - kids play, quite a lot know to use dwhelper
• rtmp/rtmpe in wowza is all cool and nice, however all this is simply circumvented (including sessions, tokens..) by freely available rtmpdump/rtmproxy and GUI clones based on it.

Not much people know about rtmp ripping, but it is expected to progressively get worse (i'm looking forward for rtmpdump support in dwhelper :).

The truth is, progressive/f4v streaming is cheaper since you'll sacrifice wowza beast which provides only thin layer of false sense of security at the significant expense of server resources..

Few points about content recognition:

• Watermarking is deterrent only for casual pirate, and those usually dont do much harm since they dont know how to mirror the site en masse.
• The analog hole/screen capturing is too slow/tedious/lofi for real-world rips
• What is important is to prevent warez scene siterips, this is the real cat and mouse.
• Siterips are usually performed by web scraping bot and member bruteforced l/p combo or using stolen credit card data. Trying to prosecute the card owner wouldn't do much good (in addition to ccbill chargeback).

So, are we screwed or not?

IMHO: It can be done if you're willing to play the cat & mouse.

DRM is tricky. Adobe with RTMPE were foolish enough to drink the cool-aid...

However they've left the door open for clendestine solutions....

since Flash 10 it is possible to to fetch some data, mangle it, and pass it to flv decoder (NetStream.appendBytes), all inside the swf...

The idea would be:

on server:

• encrypt the stream on server using aes key

in browser (as3/swf):

• fetch the stream (urlloader, sockets, whatever)
• some huge obfuscated blackbox generates same key as server and decrypts the stream
• pass the raw flv to the video object for display

When someone manages to crack this (HUGE reverse engineering effort), just change the obfuscated blackbox inside the swf and start over again. Perhaps tedious, but plug-in DRM is imho the only effective way i can think of.

Now I am curious, would there be market interest in doing it this way? Possibly as a managed service, so users of such a solution would be shielded from the cat&mouse mentioned. Probably with some guarantee that the site cannot be readily ripped and published as a single torrent.

Is there any other way without constant blackbox updates to keep pirates at the bay?

so glad I brought you out of lurking... :thumbsup

Why do you say this - if you can give me an example of an app that can rip an rtmpe stream that is secured with "SecuredToken" or similar, I'm all ears.

Why playing down wowza? This is a commercial solution, but the same could be implemented (not my forté) with lighttpd. you just need rtmpe+ST


The rest seem interesting comments but until the first line of defence is broken why consider the next?

For over two years I've had guys telling me how "easy" it would be to do rip my vids...and so far there is not one software available that can download these vids. I've had at least a dozen guys give it a shot and all failed.

Is Borked's solution the same as the one Stickyfingerz and Robbie have?

I just searched 'Claudia Marie' at filestube.com and on the first page of search results are videos watermarked ClaudiaMarie.com, as well as scenes with her from other sites which i realize you have no control over - the links to the files stored at Filesonic, Oron are as of the moment working.

There are older movies from 2007 before I started protecting my stuff out there. RYC goes and DMCA's them down.

Also...I freely give a downloadable version for each scene as well...but it's a tiny resolution and very low bit rate version.

Trust me...they aren't downloading the high res stream. Not saying that someone couldn't figure out a way to do it...but no software (including Replay) can even find the video, much less download it. :)

that's good then, are you using borked's method or something else?

exactly the false sense of security i'm talking about, ignorance is bliss..

rtfm....
Go play for yourself.

The problem is, of course, that RTMPE is just mere weak obfuscation (the key is computed from .swf sha256).

The source .swf is all you need for successful proxying via rtmpsuck. the token is just simple _connection.call("secureTokenResponse", null, "blahblah"); hardcoded in the .swf ... does not matter, rtmpsuck just follows the session along and hops on the play packet.

Note that securetoken wowza plugin *does not* encrypt the flv data (aside the initial RTMPE obfuscation), it just authorizes the current session to issue the play call. It relies on the already broken Adobe scheme, which is why you need to go great lengths if things should be really hard to break.

Not sure about if there are any working windows GUI tools, however rtmpdump is what is used for real-world browser automaton scraping (see my rants about complete siterips).

note: Yes, I am somewhat involved with mplayer/ffmpeg/rtmpd folk. Don't hate em, you're all using the same shady ffmpeg nonetheless..

Nice thread bro :) I love people that take the time help others like that :) The tutorial rocks!!

On the other hand, I'm not saying at all this schemes are not valid or should not be taken into consideration, still, if the end user is able to watch the movie, then its just about how complex and time consuming the leecher wants to spend on the reverse engeneering process ....

And when it comes to watching a stream, there is a server which sends it ( encrypted or not ) and the end user who renders that stream ( encrypted or not ), at the end, its all raw information, an experienced leecher would just have to hook the appropiate syscall/DLL call after the stream is decrypted and he has the full stream as if he downloaded it ....

Again, i think its an interesting thing to discuss about letting end users download or not the movies to prevent piracy, but i think thats the discussion we should focus on, not in just protecting out movies, believe me on this one, the leechers, the big ones .... Usually are very experienced users with enough knowledge to do this or have plenty "hacker" friends close who would easily make a DLL/syscall hook for him to achieve this stream encryption bypassing.

So the question here is, are the average end users who we are targeting on selling memberships and actually buy them the ones that leech content, or its only a bunch of guys that join, download all content and then upload it to major tubes, torrents, etc?

If we are talking about this bunch i mention, forget it, all you mentioned wont secure the stream, now if an important % of the pirated content comes from the average end user, then its worth the try.

I think the only good way to know this, would be that some big player starts fingerprinting their movies, if we start finding all their movies with only a bunch of fingerprints, then as i told you, forget it, its a bunch of specialized leechers you can't fight, if we find out thousands of different fingerprints, then the average user is becoming a threat and we should stop letting them download movies. Problem is, today most major big players are involved somehow in piracy, so who would give the step and fingerprint their movies to check this???

Why not just implement it still? Because i personally like downloading movies and i think lots of end users do too, to watch it on their TVs, have it on their collections, etc, and not necesarily to pirate it, so, if that end user is not the problem, it would be a bad choice from a marketing point of view disabling them from the ability to make the downloads.

My two cents.

LOL, finally i see some real coders here ;)

Bro, why bother reverse engeenering a stream when you can simply fetch it already decoded at the end users computer with a simple dll hook?

All you say its great if you are trying to sniff the connection, but for what we are talking, an end user ( Leecher or not ) grabing the content, they don't need to reverse engeneer the stream, they just have to wait the stream to be decrypted and save it via the syscall/dll hook :)

btw, catch me up anytime you want, its been years i don't hear someone speaking that "language" :) Lets keep in touch :)

It's not as simple as that, because Flash for the most part decodes the stream in software, you need to patch flash binary itself (you'd get raw pixel/audio data with dll hook -> loss in quality). Noone has done that AFAIK (and RCE effort involved tops that of reversing .swf itself).

But I see where you're coming from, if this will be done, flash is broken for eternity..

I just want to point out actually existing tools.

Again, such a patched Flash player is pure evil. rtmpdump is developed by highly skilled individuals, but for the sake of interoperability (to break out of adobe's walled garden), rather than to pirate stuff explicitly.

Imo theres simpler way to speculate about that. Use poker psychology: Casual (that is, harmless) pirate will just upload scenes he likes to private sites like chegg*t. The actual harm is imo neglible, may even serve as good promo if you strap huge site logo watermark somewhere.
People interested will come to you for more.

Regarding the dedicated pirate, their skill is imho at least on the google "how to record rtmpe securetoken" level. They're doing it for fun, race and glory in the warez underground. Unfortunately the release will find it's way to torrent sites eventually.

You might be onto something there. Perhaps the right way would be detecting and baiting the web-scraping bot in progress?

For example, there's no way for the evil guy to check all of those dozen hours he just scrapped, so injecting annoying "THIS STUFF IS PIRATED" every few frames once the bot is detected might be fun :)

LOL, i love having this chats :)

ok, i got the point, the stream is sent to the application and all the decryption is done inside it without sending out information to the OS, the thing here is, there is always interaction with the OS .... Again, i'm not that into windows internals, i'm more a linux guy, but there is no libc call on linux that doesn't end up firing up a kernel syscall ;) So you just need to know which one and when to hook it and you are done, i think the same procedure could be applied on Windows ( I INSISTS, i almost don't know Windows internals, but OSs at this point work all the same ... ), just thinking quick here as i won't find a reverse engeneering solution on a quick thread answer, but, even if the Adobe, Flash or whatover application you are refering too that does the decryption is not maybe calling the more generic syscalls ( read, write, etc ), it must be handleing memory ;) Every process that, and has to call the operating system as an application don't have the ability to enter kernel mode and assign itself the space on RAM he wants too :P So .... i insist ..... If you are sniffing the connection, there you might have a challenge, if you are watching the end stream on a computer, its just a matter of time and knowing which syscall to hook.

On the security consultant company i used to work, i'm not sure if i can talk about this, yes, the NDA has two years long so i guess i can, he developed a sort of DLL that hooked every fucking dll call an application called and called a python script to let him know what the application was doing, so, just doing a quick think here, if i had one of this movies frame and i used this tool, i would just have to make python parse every fucking dll call it gets triggered until i found that frame pattern, and there i am :) I have where to look and fetch the movies ;) Honestly, it doesn't sound that challenging when i think about it, and you seem to be really into it, so i must be missing something here or you are not doing good your homework, but you seem to be, so surely i'm missing something here ...

And about the fingerprint LOL, i said FINGERPRINT, no WATERMARK, its totally different :) A fingerprint is not shown on the video ;) Its transparent :)

Hey Robbie what is your bit rate version you are offering - mbps? Sounds like a GREAT idea. Also did you have custom programming to insert the user info into the video? I'm on elevatedx and not sure if I can implement that.

great information...but that won't solve the stealing....

This industry has put forth some very innovative ideas on piracy prevention. Will they implement it? that's another question entirely.

Pirates and Sneakers
 

Going back to the OP, seeing that the new "Pirates" movie is out, I thought I would take a Robert R. "Sneakers" approach to getting around borkeds superb offerings.

I am not a techy, but know a thing or two about video editing.

If I wanted to screencap a streaming video with sound, I would simply use one of blackmagic's capture cards which would allow me to capture at the original frame rate with no loss in quality. This is the method a lot of hardcore gamers use to make videos of their virtual adventures. The new i7 chipset has made this incredibly efficient. I am using the same technology to stream HD video live.

Secondly, not that this exists, but I could also imagine a video software program that could remove "damaged" frames (tagged frames)... basically comparing each frame to the frame in front of it and behind it.

There will always be a way around protecting content, but at the same time it shouldn't mean giving up.

I am gearing up to launch a streaming video based pay site and I plan to implement borkeds plan as well as Robbies.

Now all we need is for the pirates to get an automated email when they've been caught...

"Congratulations, you've been BORKED."

Thanks for the great thinking everyone.

This was a very cool story bro. I feel so educated now.

excellent article. very well written and very informative. thank you very much and keep posting such nice articles.

YEs!
 

I love this forum and these posts. perfect for us newbs.

Had a big break, so sorry for the delay in a reply....

Of course they will implement it. I know of lots that are now implementing it. Certainly not the vast majority, but I've helped over 50 and I'm sure countless more have helped themselves (since this thread was made so that anyone savvy enough could do it themselves).

It is surprising how many people are saying "I've a new site with exclusive content, and I'm going to offer protected streams only - no downloads"

It's only a question of time before streaming is the only method. There are ways around things like offering streams for life etc as outlined in this thread so that downloading is nearly negated.

Had a prod from someone to do something about screen ripping....

Here are some ideas floating around to help people...


Overlay identifiable info

Inject user identifiable info every eg 10 secs

Add that modified player to the OP and things are looking good!

THe problem is streaming servers are expensive. More than normal ones.

Just to show this is all still active.... a weak area in all I put front was the caching of the player, even in memory cache, which could easily be decompiled to acquire the secure token. Once that was done, one of the more powerful (though not simple) software out there, could take the secure token and rip the stream. I was always aware of this weakness.

So I have now put the effort and cash into it to close that leak. With high level encryption, the player can now be protected fully from theft of the securetoken, making this whole streaming server setup fully secure.

BTW, iOS secure streaming isn't far off - it's in beta on a few people's servers and all indications look good :D

Just want to give thumbs up for Borkedcoder, he just implemented secure streaming on my server and I got a VERY good impression of how he take care of me as a client. I'm glad I saw this thread, and can personally recommend his services.

borked just implemented his secure streaming on a new site for me and i highly recommend using this for anyone who wants to protect their content

he even included some new features with extra protection

if you ppl are serious about preventing piracy you need this!

thanks alot borked!