GFY EDUCATIONAL SERIES: How to prevent Piracy - A new way.

I've been playing with face-recognition for my own amusement since you posted this reply... it's frikken fun! I'd say totally useless in a piracy situation, but damn fun to tag yourself in an image then go off and search google images for yourself - I never knew I was in so many publicly-available pictures

ok this is going on my list of things to do. doesn't look too complicated.

nope - real easy. Drop me a line if you want me to give you a hand - I've helped quite a few people already set this up and it's very inexpensive as I honestly don't aim to profit from doing this as others can attest to. But if you're handy with the command line, then following the points will get you through the whole shebang painlessly.

great stuff dude

bump... this shit needs to stay up

awesome idea as well... give them shit downloads
and quality streaming.
somethin has to be done for sure... Enough bitchin as times have changed.
The industry needs to move the business in a directn that protects content..
Let the customer follow..
If u shoot quality, then this idea will work.. Bcos they will be forced to join.
Awesome post bork x1000

If we follow 3 won't we be losing a lot of visitors because of browser/adobe issues?

sorry, I was off gfy for a while - no not really, since eg wowza can stream securely also to things like the iphone that doesn't support flash. Personally I've had no dealings in this, so can't write up a how-to for this side, but there are plenty of dicsussion and plugins to secure these kind of streams on wowza's forums. I support wowza myself since I've implemented a lot of services using their application, hence the wowza plug. I'd be more than willing to test out non-flash security in streams if you want to try... I've just never bothered to now since noone has shown interest in it...

Bumpage for great info!

Practically Practical

Hello. I'd say it is quite practical. Re-encoding the video itself wouldn't be practical but with most file formats there is a header area for meta data

My Apologies, I dont have 30 posts yet so cant do proper links.
www [dot] microsoft [dot] com/downloads/en/details.aspx?displaylang=en&FamilyID=56de5ee4-51ca-46c6-903b-97390ad14fea

If you look there is a header area where you could encode the username/IP as metadata. This should be pretty quick as it doesn't involve any reindexing of the video or any of that sort of thing. A simple file copy and edit the meta. If you have a large busy site and cant spare the resources for real time file copying there are ways around that too... ie having a pool of extra copies of files that are created during downtime and header/metadata edited real time [should be extremely quick business]

but how would that survive transcoding?

We already have this, Cop-Cms has been developed from the open source software Phash. It uses a multi threaded hasher and checker and infringes on no patents. Furthermore it can be run on very low end servers. We would be willing to let the technology into the industry to allow others to further develop it. It uses both video and audio components.

Thanks,

David

All ingenious is simple

how much of talk and how much advice, but definitely need a very good understanding of how to do it all and that would work and not slow down the portal

me to this helped me out

Great article!

Hi borked,

Great thread there, you made me post after years of lurking

Unfortunately it spiralled down from flv DRM to the wonders of image recognition, se lets go back for a little.

What i'm interested in is a real (that is, not yet cracked) DRM seriously stopping power users and warez scene from sharing the content online.

Few points about your suggestions:

• http progressive - kids play, quite a lot know to use dwhelper
• rtmp/rtmpe in wowza is all cool and nice, however all this is simply circumvented (including sessions, tokens..) by freely available rtmpdump/rtmproxy and GUI clones based on it.

Not much people know about rtmp ripping, but it is expected to progressively get worse (i'm looking forward for rtmpdump support in dwhelper .

The truth is, progressive/f4v streaming is cheaper since you'll sacrifice wowza beast which provides only thin layer of false sense of security at the significant expense of server resources..

Few points about content recognition:

• Watermarking is deterrent only for casual pirate, and those usually dont do much harm since they dont know how to mirror the site en masse.
• The analog hole/screen capturing is too slow/tedious/lofi for real-world rips
• What is important is to prevent warez scene siterips, this is the real cat and mouse.
• Siterips are usually performed by web scraping bot and member bruteforced l/p combo or using stolen credit card data. Trying to prosecute the card owner wouldn't do much good (in addition to ccbill chargeback).

So, are we screwed or not?

IMHO: It can be done if you're willing to play the cat & mouse.

DRM is tricky. Adobe with RTMPE were foolish enough to drink the cool-aid...

However they've left the door open for clendestine solutions....

since Flash 10 it is possible to to fetch some data, mangle it, and pass it to flv decoder (NetStream.appendBytes), all inside the swf...

The idea would be:

on server:

• encrypt the stream on server using aes key

in browser (as3/swf):

• fetch the stream (urlloader, sockets, whatever)
• some huge obfuscated blackbox generates same key as server and decrypts the stream
• pass the raw flv to the video object for display

When someone manages to crack this (HUGE reverse engineering effort), just change the obfuscated blackbox inside the swf and start over again. Perhaps tedious, but plug-in DRM is imho the only effective way i can think of.

Now I am curious, would there be market interest in doing it this way? Possibly as a managed service, so users of such a solution would be shielded from the cat&mouse mentioned. Probably with some guarantee that the site cannot be readily ripped and published as a single torrent.

Is there any other way without constant blackbox updates to keep pirates at the bay?

so glad I brought you out of lurking...

Why do you say this - if you can give me an example of an app that can rip an rtmpe stream that is secured with "SecuredToken" or similar, I'm all ears.

Why playing down wowza? This is a commercial solution, but the same could be implemented (not my forté) with lighttpd. you just need rtmpe+ST


The rest seem interesting comments but until the first line of defence is broken why consider the next?

For over two years I've had guys telling me how "easy" it would be to do rip my vids...and so far there is not one software available that can download these vids. I've had at least a dozen guys give it a shot and all failed.

Is Borked's solution the same as the one Stickyfingerz and Robbie have?

I just searched 'Claudia Marie' at filestube.com and on the first page of search results are videos watermarked ClaudiaMarie.com, as well as scenes with her from other sites which i realize you have no control over - the links to the files stored at Filesonic, Oron are as of the moment working.

There are older movies from 2007 before I started protecting my stuff out there. RYC goes and DMCA's them down.

Also...I freely give a downloadable version for each scene as well...but it's a tiny resolution and very low bit rate version.

Trust me...they aren't downloading the high res stream. Not saying that someone couldn't figure out a way to do it...but no software (including Replay) can even find the video, much less download it.

that's good then, are you using borked's method or something else?

exactly the false sense of security i'm talking about, ignorance is bliss..

rtfm....
Go play for yourself.

The problem is, of course, that RTMPE is just mere weak obfuscation (the key is computed from .swf sha256).

The source .swf is all you need for successful proxying via rtmpsuck. the token is just simple _connection.call("secureTokenResponse", null, "blahblah"); hardcoded in the .swf ... does not matter, rtmpsuck just follows the session along and hops on the play packet.

Note that securetoken wowza plugin *does not* encrypt the flv data (aside the initial RTMPE obfuscation), it just authorizes the current session to issue the play call. It relies on the already broken Adobe scheme, which is why you need to go great lengths if things should be really hard to break.

Not sure about if there are any working windows GUI tools, however rtmpdump is what is used for real-world browser automaton scraping (see my rants about complete siterips).

note: Yes, I am somewhat involved with mplayer/ffmpeg/rtmpd folk. Don't hate em, you're all using the same shady ffmpeg nonetheless..

Nice thread bro I love people that take the time help others like that The tutorial rocks!!

On the other hand, I'm not saying at all this schemes are not valid or should not be taken into consideration, still, if the end user is able to watch the movie, then its just about how complex and time consuming the leecher wants to spend on the reverse engeneering process ....

And when it comes to watching a stream, there is a server which sends it ( encrypted or not ) and the end user who renders that stream ( encrypted or not ), at the end, its all raw information, an experienced leecher would just have to hook the appropiate syscall/DLL call after the stream is decrypted and he has the full stream as if he downloaded it ....

Again, i think its an interesting thing to discuss about letting end users download or not the movies to prevent piracy, but i think thats the discussion we should focus on, not in just protecting out movies, believe me on this one, the leechers, the big ones .... Usually are very experienced users with enough knowledge to do this or have plenty "hacker" friends close who would easily make a DLL/syscall hook for him to achieve this stream encryption bypassing.

So the question here is, are the average end users who we are targeting on selling memberships and actually buy them the ones that leech content, or its only a bunch of guys that join, download all content and then upload it to major tubes, torrents, etc?

If we are talking about this bunch i mention, forget it, all you mentioned wont secure the stream, now if an important % of the pirated content comes from the average end user, then its worth the try.

I think the only good way to know this, would be that some big player starts fingerprinting their movies, if we start finding all their movies with only a bunch of fingerprints, then as i told you, forget it, its a bunch of specialized leechers you can't fight, if we find out thousands of different fingerprints, then the average user is becoming a threat and we should stop letting them download movies. Problem is, today most major big players are involved somehow in piracy, so who would give the step and fingerprint their movies to check this???

Why not just implement it still? Because i personally like downloading movies and i think lots of end users do too, to watch it on their TVs, have it on their collections, etc, and not necesarily to pirate it, so, if that end user is not the problem, it would be a bad choice from a marketing point of view disabling them from the ability to make the downloads.

My two cents.

LOL, finally i see some real coders here ;)

Bro, why bother reverse engeenering a stream when you can simply fetch it already decoded at the end users computer with a simple dll hook?

All you say its great if you are trying to sniff the connection, but for what we are talking, an end user ( Leecher or not ) grabing the content, they don't need to reverse engeneer the stream, they just have to wait the stream to be decrypted and save it via the syscall/dll hook

btw, catch me up anytime you want, its been years i don't hear someone speaking that "language" Lets keep in touch

It's not as simple as that, because Flash for the most part decodes the stream in software, you need to patch flash binary itself (you'd get raw pixel/audio data with dll hook -> loss in quality). Noone has done that AFAIK (and RCE effort involved tops that of reversing .swf itself).

But I see where you're coming from, if this will be done, flash is broken for eternity..

I just want to point out actually existing tools.

Again, such a patched Flash player is pure evil. rtmpdump is developed by highly skilled individuals, but for the sake of interoperability (to break out of adobe's walled garden), rather than to pirate stuff explicitly.

Imo theres simpler way to speculate about that. Use poker psychology: Casual (that is, harmless) pirate will just upload scenes he likes to private sites like chegg*t. The actual harm is imo neglible, may even serve as good promo if you strap huge site logo watermark somewhere.
People interested will come to you for more.

Regarding the dedicated pirate, their skill is imho at least on the google "how to record rtmpe securetoken" level. They're doing it for fun, race and glory in the warez underground. Unfortunately the release will find it's way to torrent sites eventually.

You might be onto something there. Perhaps the right way would be detecting and baiting the web-scraping bot in progress?

For example, there's no way for the evil guy to check all of those dozen hours he just scrapped, so injecting annoying "THIS STUFF IS PIRATED" every few frames once the bot is detected might be fun

LOL, i love having this chats

ok, i got the point, the stream is sent to the application and all the decryption is done inside it without sending out information to the OS, the thing here is, there is always interaction with the OS .... Again, i'm not that into windows internals, i'm more a linux guy, but there is no libc call on linux that doesn't end up firing up a kernel syscall ;) So you just need to know which one and when to hook it and you are done, i think the same procedure could be applied on Windows ( I INSISTS, i almost don't know Windows internals, but OSs at this point work all the same ... ), just thinking quick here as i won't find a reverse engeneering solution on a quick thread answer, but, even if the Adobe, Flash or whatover application you are refering too that does the decryption is not maybe calling the more generic syscalls ( read, write, etc ), it must be handleing memory ;) Every process that, and has to call the operating system as an application don't have the ability to enter kernel mode and assign itself the space on RAM he wants too :P So .... i insist ..... If you are sniffing the connection, there you might have a challenge, if you are watching the end stream on a computer, its just a matter of time and knowing which syscall to hook.

On the security consultant company i used to work, i'm not sure if i can talk about this, yes, the NDA has two years long so i guess i can, he developed a sort of DLL that hooked every fucking dll call an application called and called a python script to let him know what the application was doing, so, just doing a quick think here, if i had one of this movies frame and i used this tool, i would just have to make python parse every fucking dll call it gets triggered until i found that frame pattern, and there i am I have where to look and fetch the movies ;) Honestly, it doesn't sound that challenging when i think about it, and you seem to be really into it, so i must be missing something here or you are not doing good your homework, but you seem to be, so surely i'm missing something here ...

And about the fingerprint LOL, i said FINGERPRINT, no WATERMARK, its totally different A fingerprint is not shown on the video ;) Its transparent

Hey Robbie what is your bit rate version you are offering - mbps? Sounds like a GREAT idea. Also did you have custom programming to insert the user info into the video? I'm on elevatedx and not sure if I can implement that.

great information...but that won't solve the stealing....

This industry has put forth some very innovative ideas on piracy prevention. Will they implement it? that's another question entirely.

Pirates and Sneakers

Going back to the OP, seeing that the new "Pirates" movie is out, I thought I would take a Robert R. "Sneakers" approach to getting around borkeds superb offerings.

I am not a techy, but know a thing or two about video editing.

If I wanted to screencap a streaming video with sound, I would simply use one of blackmagic's capture cards which would allow me to capture at the original frame rate with no loss in quality. This is the method a lot of hardcore gamers use to make videos of their virtual adventures. The new i7 chipset has made this incredibly efficient. I am using the same technology to stream HD video live.

Secondly, not that this exists, but I could also imagine a video software program that could remove "damaged" frames (tagged frames)... basically comparing each frame to the frame in front of it and behind it.

There will always be a way around protecting content, but at the same time it shouldn't mean giving up.

I am gearing up to launch a streaming video based pay site and I plan to implement borkeds plan as well as Robbies.

Now all we need is for the pirates to get an automated email when they've been caught...

"Congratulations, you've been BORKED."

Thanks for the great thinking everyone.

This was a very cool story bro. I feel so educated now.

excellent article. very well written and very informative. thank you very much and keep posting such nice articles.

YEs!

I love this forum and these posts. perfect for us newbs.

Had a big break, so sorry for the delay in a reply....

Of course they will implement it. I know of lots that are now implementing it. Certainly not the vast majority, but I've helped over 50 and I'm sure countless more have helped themselves (since this thread was made so that anyone savvy enough could do it themselves).

It is surprising how many people are saying "I've a new site with exclusive content, and I'm going to offer protected streams only - no downloads"

It's only a question of time before streaming is the only method. There are ways around things like offering streams for life etc as outlined in this thread so that downloading is nearly negated.

Had a prod from someone to do something about screen ripping....

Here are some ideas floating around to help people...


Overlay identifiable info

Inject user identifiable info every eg 10 secs

Add that modified player to the OP and things are looking good!

THe problem is streaming servers are expensive. More than normal ones.

Just to show this is all still active.... a weak area in all I put front was the caching of the player, even in memory cache, which could easily be decompiled to acquire the secure token. Once that was done, one of the more powerful (though not simple) software out there, could take the secure token and rip the stream. I was always aware of this weakness.

So I have now put the effort and cash into it to close that leak. With high level encryption, the player can now be protected fully from theft of the securetoken, making this whole streaming server setup fully secure.

BTW, iOS secure streaming isn't far off - it's in beta on a few people's servers and all indications look good :D

Just want to give thumbs up for Borkedcoder, he just implemented secure streaming on my server and I got a VERY good impression of how he take care of me as a client. I'm glad I saw this thread, and can personally recommend his services.

borked just implemented his secure streaming on a new site for me and i highly recommend using this for anyone who wants to protect their content

he even included some new features with extra protection

if you ppl are serious about preventing piracy you need this!

thanks alot borked!

Bumped again for christmas 2011 & the coming year of 2012...


A year later & still great suggestions

Hello .. I appreciate your good work .. Thumbs up dude ..

gfelife is da bestgfelife is da bestgfelife is da bestgfelife is da best

gfelife is da best


h to see a new revenue stream open up by "fighting" the pirates, I don't see why you're in this thread anyway, so stop reading now.

1. Turn off mpg/avi/wmv whatever downloading

Why do you even offer this? It makes storing your content much more costly, your bandwidth increases, and is the sure fire way to get your content pirated.

if you must give downloads, inject the user details into the mpg file - see
http://gfy.com/showpost.php?p=17565717&postcount=76


2. Only stream your content

All your content needs only to be flv or (better) mp4 (h.264 format) - cut your storage needs by > 50% in one fail swoop

3. Protect your streams

This is the technical stuff - stream rippers are two a penny these days, but follow this sequence of events and your streams are 100% secure. The only way to "rip" your stream is to have a screen capture program record full playback of your move. Impossible to prevent that!


a) Stream - don't use progressive downloading

Progressive downloading is where you put a flash player wrapper around your content - the user can only view the content currently downloaded. That means the entire movie can only be viewed once the entire movie has been downloaded. Thus, the movie downloads into the browser cache and can then be transcoded by the end user to any other format and pirated.
You also consume a lot more bandwidth

Stream your content with a streaming application such as the flavours that Adobe and Wowza offer up - this way, if a user watches only 30 seconds of a movie, you pay only for 30 seconds of bandwidth, not what the users internet connection allowed him to download in 30 seconds (which could be the entire movie!). It also allows for scrubbing by clicking ahead/behind in the movies current position.

b) Stream your movies with RTMPE

Adobe launched the encrypted RTMP (RTMPE) streaming protocol a few years back and by using it, you block 90% of stream rippers. Only three that I know of can still rip RTMPE streams, and Adobe is actively pursuing trying to shut down those apps (no chance!).

In any case, at a 1.5% overhead on the server per stream, RTMPE is worth it to kill the majority of stream rippers

c) Protect your streams with a Secure Token

OK, you have a secure stream. This means streams in process by one app cannot be ripped by another. This however leaves a hole in the handshake between client and server - if the client is an app that can convince the server to engage in an encrypted stream, the server will diss it out.

A Secure Token is one only known to your app (eg your flash player) and your streaming server. On request for a stream, the client (your player) will send a SSL-protected Secure Token in the header of the request. If this matches the token stored on your streaming server, the server will release the stream. Only this token is known to your flash player (that is compiled into the player) and your streaming server (in the server config). Impossible for a rogue client (like a stream ripper) to know this.

However, one ripper app can listen to what is being sent during a request and circumvent this (see later)

Secure Token is supported by Adobe and Wowza and most players (JW PLayer included) support secure token.

d) Protect your "Secure Tokenised" flash player

A person can download your flash player which contains your secure token inside the compiled app and either
i) use the player to request streams on their own behalf, fooling your streaming server
ii) reverse engineer the app to find the secure token

A simple way to do this (which is not foolproof, but since it's transparent to the end user it's a good security) is to mod_rewrite all requests for your player that do not have a trusted http_referer set (direct requests do not have http_referer set)

the [L] is quite important since the redirect will be transparent - it will look like they are getting the same player as is shown in the HTML, but it will be untokenised and always fail on any request to serve up a movie

f) Protect your streaming server from unauthorised requests

For the only available stream ripper (which requires a LOT of knowledge of the command line to operate by the way, so eliminates a lot of pirates), that can see your encrypted secure token in the stream request header and use it to make unauthorised requests for streams, make sure your streaming server *ONLY* listens for requests coming from a valid host - a valid referrer. There is *NO* stream ripper available that can trap the secure token and spoof referrer for the moment.

Adobe and Wowza offer this as a plugin (free for wowza, paid for adobe)


g) Add encrypted user login vars to your stream

This is paranoid, but some circumstances like VoD where the username is important to the streamer, it is important. Don't give out unsecured user vars - encrypt them with a method encryption compatible with your web server (encryption) and streaming server (decryption). I won't go into the details on how to implement this, as it can be avoided if your member area is well protected from intrusive entries. I've done it though for unprotected areas where a logged in member is sent one content and a none-logged in member is sent another... the options are there in any case

This requires a custom compiled streaming server plugin.

Following all the points above in Point 3 will protect your streams in today's market to the hilt.



4. How to deal with members that want the content all the time

OK, in point 1 you shut off all movie downloading, in 2 only offered movies in streaming format, and in 3 you prevented your streams being ripped

For the majority of members, albeit taken from stream/download stats over a 2 month period with 2 clients, streams are what people want - content is fresh, no download wait time to get cock in hand etc I suppose, but the movie requests were mainly for streams.

However, there are a still a lot of members that like to have the movie on their HD so they can watch it forever, even if they cancel membership.

One client didn't want to offer only streams for this reason. The members of this client that were logged as downloading movies were polled via survey monkey to ask them

a - if we didn't offer movie downloads would you consider cancelling your membership (95% said they would consider cancelling)

b - if we didn't permit downloads, but made sure the movies you like were always available, in full, for 1 year even after you cancelled your membership at some point in the future, would you consider cancelling your membership (15% said they would consider cancelling)

That was enough of an answer for the client since within those 15% were the pirates. Maybe all of them were pirates, maybe only 1% but a good enough chance to take the risk.

I implemented a method where, during the lifetime of a member, any movies added to their favourites or watched in their entirety were logged. If the member cancelled, their login would still be valid for 1 year whereupon relogin they would have full streaming access to those movies. Any new movies or old ones they never watched would be removed from full access rights and clicks on them would be used for upsells to get them back.

By implementing this, they lost 3% of their recurring (downloading) member base (remember only those ones that were downloading the movies - not the entire member base), but over the next 6 months got a ~70% upsell success rate turning that expired member back into a full member.


In all, the implementation of all the above means that all your movies are free from pirating and by-and-large your members won't care that there are no downloads since they still have access to the content they liked. Better still, it gives a chance for active upsells to win back lost members.[/QUOTE]

Significantly informative........what does it elaborates securing with a token?? .....carry on dude.....

All information above is helpful and I'm gonna check all that....

Well, I found this type of dilema are not useful.....spending time on that and finally find none of that are "in-work"......need some solid info dude.....carry on....

How do you prevent someone from using a program like CamTasia to capture the video?

Flash up their info (IP username etc) every X seconds at random places, so you can sue them at a later date when their captured video is found doing the rounds.
This is already widely used by people I've helped.... and works as a great deterrent.

I don't believe that securing your content by making it non-downloadable is the way to go. Using any kind of simple tricks might only slow down people who are pirating the content (it usually takes more time to develop/integrate such solutions than it takes to crack them). Using strong cryptography solutions (DRM) is an idea (obviously nothing is uncrackable) but is really annoying for legitimate users. Most people that are pirating the content are not getting it legally in the first place.

That's why I think that the key to protect your content is to:
- protect your website against password crackers (there're many tools out there which can easily crack most websites - most captcha solutions are easily solved by OCR tools)
- protect your website against account (password) sharing
- search your content on the internet and send DMCA's

Each have their own opinion. However, these are not simple tricks in play here and have yet to be broken. You can protect your accounts from password sharing all you want, but that is not stopping a member downloading and pirating your content.
Searching the internet for your content is futile. As is closing the stable door once the horse has bolted.

In other developments, "simple tricks" have enabled fully secure streaming to iOS and Android devices....
check it out on an iOS or Android device here: http://html5.borkedcoder.com/