GFY EDUCATIONAL SERIES: How to prevent Piracy - A new way.
 

Call it an educational series section if you want but this is my take on how to prevent piracy and is a little bit technical.

It stems from the base that the vast majority of people being pirated from offer their product in digital format *only* and so the easiest way to prevent your product from spreading as pirated is to prevent your product from getting on the hard drives of the future pirate/seeder.

Technology in this matter has moved enormously in the last few years and I'd say everyone offers streaming as an option in their members area.

If you offer downloads of your movies and don't want to enter into DRMing them, then you will not prevent piracy.

The best solution is to offer your movies *only* as protected streams. I'll get to other problems associated with only offering your movies as streams (ie members want access to the movie always even after membership expiry) at the end.

If you take the stance that your members are signing up to see what they want to see and not to seed it to the masses then this solution will work for you.

If you don't care that your content is pirated and only wish to see a new revenue stream open up by "fighting" the pirates, I don't see why you're in this thread anyway, so stop reading now.

1. Turn off mpg/avi/wmv whatever downloading

Why do you even offer this? It makes storing your content much more costly, your bandwidth increases, and is the sure fire way to get your content pirated.

if you must give downloads, inject the user details into the mpg file - see
https://gfy.com/showpost.php?p=17565717&postcount=76


2. Only stream your content

All your content needs only to be flv or (better) mp4 (h.264 format) - cut your storage needs by > 50% in one fail swoop

3. Protect your streams

This is the technical stuff - stream rippers are two a penny these days, but follow this sequence of events and your streams are 100% secure. The only way to "rip" your stream is to have a screen capture program record full playback of your move. Impossible to prevent that!


a) Stream - don't use progressive downloading

Progressive downloading is where you put a flash player wrapper around your content - the user can only view the content currently downloaded. That means the entire movie can only be viewed once the entire movie has been downloaded. Thus, the movie downloads into the browser cache and can then be transcoded by the end user to any other format and pirated.
You also consume a lot more bandwidth

Stream your content with a streaming application such as the flavours that Adobe and Wowza offer up - this way, if a user watches only 30 seconds of a movie, you pay only for 30 seconds of bandwidth, not what the users internet connection allowed him to download in 30 seconds (which could be the entire movie!). It also allows for scrubbing by clicking ahead/behind in the movies current position.

b) Stream your movies with RTMPE

Adobe launched the encrypted RTMP (RTMPE) streaming protocol a few years back and by using it, you block 90% of stream rippers. Only three that I know of can still rip RTMPE streams, and Adobe is actively pursuing trying to shut down those apps (no chance!).

In any case, at a 1.5% overhead on the server per stream, RTMPE is worth it to kill the majority of stream rippers

c) Protect your streams with a Secure Token

OK, you have a secure stream. This means streams in process by one app cannot be ripped by another. This however leaves a hole in the handshake between client and server - if the client is an app that can convince the server to engage in an encrypted stream, the server will diss it out.

A Secure Token is one only known to your app (eg your flash player) and your streaming server. On request for a stream, the client (your player) will send a SSL-protected Secure Token in the header of the request. If this matches the token stored on your streaming server, the server will release the stream. Only this token is known to your flash player (that is compiled into the player) and your streaming server (in the server config). Impossible for a rogue client (like a stream ripper) to know this.

However, one ripper app can listen to what is being sent during a request and circumvent this (see later)

Secure Token is supported by Adobe and Wowza and most players (JW PLayer included) support secure token.

d) Protect your "Secure Tokenised" flash player

A person can download your flash player which contains your secure token inside the compiled app and either
i) use the player to request streams on their own behalf, fooling your streaming server
ii) reverse engineer the app to find the secure token

A simple way to do this (which is not foolproof, but since it's transparent to the end user it's a good security) is to mod_rewrite all requests for your player that do not have a trusted http_referer set (direct requests do not have http_referer set)

the [L] is quite important since the redirect will be transparent - it will look like they are getting the same player as is shown in the HTML, but it will be untokenised and always fail on any request to serve up a movie

f) Protect your streaming server from unauthorised requests

For the only available stream ripper (which requires a LOT of knowledge of the command line to operate by the way, so eliminates a lot of pirates), that can see your encrypted secure token in the stream request header and use it to make unauthorised requests for streams, make sure your streaming server *ONLY* listens for requests coming from a valid host - a valid referrer. There is *NO* stream ripper available that can trap the secure token and spoof referrer for the moment.

Adobe and Wowza offer this as a plugin (free for wowza, paid for adobe)


g) Add encrypted user login vars to your stream

This is paranoid, but some circumstances like VoD where the username is important to the streamer, it is important. Don't give out unsecured user vars - encrypt them with a method encryption compatible with your web server (encryption) and streaming server (decryption). I won't go into the details on how to implement this, as it can be avoided if your member area is well protected from intrusive entries. I've done it though for unprotected areas where a logged in member is sent one content and a none-logged in member is sent another... the options are there in any case

This requires a custom compiled streaming server plugin.

Following all the points above in Point 3 will protect your streams in today's market to the hilt.



4. How to deal with members that want the content all the time

OK, in point 1 you shut off all movie downloading, in 2 only offered movies in streaming format, and in 3 you prevented your streams being ripped

For the majority of members, albeit taken from stream/download stats over a 2 month period with 2 clients, streams are what people want - content is fresh, no download wait time to get cock in hand etc I suppose, but the movie requests were mainly for streams.

However, there are a still a lot of members that like to have the movie on their HD so they can watch it forever, even if they cancel membership.

One client didn't want to offer only streams for this reason. The members of this client that were logged as downloading movies were polled via survey monkey to ask them

a - if we didn't offer movie downloads would you consider cancelling your membership (95% said they would consider cancelling)

b - if we didn't permit downloads, but made sure the movies you like were always available, in full, for 1 year even after you cancelled your membership at some point in the future, would you consider cancelling your membership (15% said they would consider cancelling)

That was enough of an answer for the client since within those 15% were the pirates. Maybe all of them were pirates, maybe only 1% but a good enough chance to take the risk.

I implemented a method where, during the lifetime of a member, any movies added to their favourites or watched in their entirety were logged. If the member cancelled, their login would still be valid for 1 year whereupon relogin they would have full streaming access to those movies. Any new movies or old ones they never watched would be removed from full access rights and clicks on them would be used for upsells to get them back.

By implementing this, they lost 3% of their recurring (downloading) member base (remember only those ones that were downloading the movies - not the entire member base), but over the next 6 months got a ~70% upsell success rate turning that expired member back into a full member.


In all, the implementation of all the above means that all your movies are free from pirating and by-and-large your members won't care that there are no downloads since they still have access to the content they liked. Better still, it gives a chance for active upsells to win back lost members.

It turned into quite a long post and I haven't proof read it at all, so I'll finish it off with a GFY Education Series style signoff with a disclaimer that all spelling/grammar errors were maid purely by me.

About the author:

Borkedcoder aka Andy is a pain in the arse freelance web programmer and system admin that is over worked, under paid and loves to get his teeth into problems. If it's not problematic, it bores me!


Oh, and if you liked the post, you can rep me - got to beat JDL in this green power pill thing...

Piss excellence!

My parrot says "nice read" :thumbsup

if someone wants to download your movie to upload to another site/torrent/etc, they'll work out how to, even if you don't let people download the files easily. all this does is annoy your "regular" members. It also fucks people with slow internet connections, or who want to watch the porn while not online. which is probably quite a large % of cases still. if they only wanted to view it online theres enough free stuff online. i suspect some people join sites cos they know they can watch it offline.

:2 cents:

nice stuff in there. Way better than what the other party is doing.

You didn't read the post - if you followed that to protect your streams, you will not be able to download the movie. Period.

Well, this depends on your member base and until you've tried it or surveyed your members, or started tracking % downloads per % streams, you will of course have no idea.

Like I said, I've only implemented this for 2 clients (1 with >500 recurring members) and for them the results are more that satisfactory. Maybe they'll chime in here to give their feedback (though their are not english speaking...)

So what are your prices to do this to an existing site?

Good info, nicely presented. Thanks borked.

I especially liked that "streaming movies available for one year after cancellation" solution.

What about letting the returning ex-member read about the new updates since they canceled (but not be able to view them), and then throw in a re-join offer (10% discount or something)?

great post!

i'm not sure for existing member areas, but if I were to open a new paysite I'd implement all these methods to protect my content

Will the token thing prevent me searching through the packets until I find where the video lives and then collecting it?

I like puzzles.

Great advice.

Awesome writeup, top fucking notch man but I'm going to have to go with...

I would never sign up for a site that had this much shit locked down. I want porn on my TV... therefor if I can't download it, I'm not interested. I think this is going to be the case for quite a few people and the crowd is growing larger by the day.

UNLESS... You start offering streaming in other ways; Boxee plugin, custom client, etc... My requirement is that it's not on my fucking computer, hahaha.

By the way have I mentioned the industry time bomb yet? It's called Netflix Adult... They could easily sweep up a metric shit ton of market share. Content delivery to your TV is where it's at.

Edit: Bottom line is... People don't choose to consume porn on their computer; they do so because it's the best available option. If the same content was available on their TV using a remote and chilling on their bed/couch... I'm willing to bet a year's salary that far more people would opt for consuming content via their entertainment centers ;)

A nice thought - and I am actually looking into this right now - but what about the screen capture programs that you just barely mention? More tedious? Yes. But doable? Yes.

Does screen capturing lose quality in the video? (Enough for surfers to notice?) I'd record my videos in super HD and possibly implement this... if it meant constraining an entire computer (video capturing) vs. downloading out of your cache and barely using any cpu resources PLUS a loss in quality I'd be very interested. :thumbsup

Yes, that's exactly how it works in what has been implemented - on login with an expired user/pass, they get sent to the holding area with all their movies available listed.

However, the entire member area is still open for them to browse and looks like what every other valid member sees. The difference is, on clicking the "View this movie" they get the modal box with details on how to come back (at discounted price as a bonus etc).

All thumbs are still viewable, but the "good stuff" needs for them to come back into the circle, and a lot do!

borked is a smart cookie.
:thumbsup

you can never prevent screen capturing... if it shows on their screen, a screen capture program will grab it of course. Quality will degrade though.

No browser caching in the implementation as above, so that is out the window.

Absolutely agree with you - everyone's situation is different though and some backend logging of how their members interact with the different movie types as well as polling those downloading members helps the owner get a better feel for what their member wants.

I fully agree with you though on this streaming stuff - the streaming media servers can handle the TV boxes (not apple cos they are anti-porn and control everything), so there are ways to contain those too.

for offline browsing, well, your hands are tied - if you want to offer this and your customer base is mainly those that want offline browsing you're wide open to piracy :winkwink:

So basically, the illicit version, even if screen captured, will likely be of higher quality* and of more usability than what paid members will have access to.

* Streaming quality is dependent on sustained throughput, which for many users will be mediocre - pirates are likely to have both a fast connection and a powerful computer for nearly perfect capturing.

Why should one pay for something that's inferior to the free / lower cost version ... seems to me that locking down content, as you described, may be effective in reducing pirating, but will also drive away many paying customers. Paid membership should be a value added, fun experience not a value subtracted, locked down misery.

Ron

encrypted ones only :thumbsup

Why does streaming have to be a poor experience?

I am streaming movies on an active member site from an iphone (3G and none-flash) and it scrubbs perfect, no stuttering etc.

A well set-up streaming server solution with well-encoded mp4 movies is a wonderful experience.

(are people still using 512k modems???)

how about : watermarking the movie with the username on it ? something like that could be made.

yeah, username/IP - that's a great deterrent but huge server overhead (and delay before download) to do that as it needs re-encoding for each download. Possible, but practical?

Are you positive the quality will degrade??? and by how much? what are the factors? I'm going to do some screen-capturing testing to see how much the quality degrades...

are you online icq?

Excellent and a great idea :thumbsup

please put up some screenshots of stream + rip

it has to be said though to rip screens is much more of a pain than downloading, since you have to capture while playing the entire film. No other interaction with the computer while ripping. Impossible to prevent in any situation, but it makes things a shit load harder.

AND like mentioned above, you can overlay username/IP to a stream.... maybe this is what MasterM was touching on - I thought he was saying to add to the downloaded movie, but yes, adding an overlay to the movie can even be done on the embed page, not streaming server side, so no extra server strain.

That way you have the username and IP of the pirate - in that case, you have their CC details via the processor and you can go after them with no problem in the courts :thumbsup

This should work for streaming: http://xuggle.com/xuggler/

If you must allow downloads I think you could also embed some kind of user details as a tag in the avi files (or whatever format) without re-encoding. Then when you see your stuff being shared you can see who is doing it. Obviously that could be removed by the downloader, but it would get past a lot of them. Another option is the user requests a download and the link to download it is emailed to him when it is ready. When a request is made you can send it off to an Amazon EC2 Instance you have setup for this and you can stuff the file with all kind of identifiers (tags, user identifiable strings at certain places in the video, username, etc.).

Can you program the overlay of some sort of serial#/etc on the screen based on what member is watching the vid? -- plz go on icq

I'd think of doing it in a way that the user doesn't realize it's their info. Firstly, it should be a serial #/code that matches a particular user. Then maybe it could be embedded in a way that would only be read by increasing/decreasing the contrast/brightness or something like that.

An overlay can be whatever you want it to be as it's called from the flash player (if that is the app we're talking about here). I've only ever implemented overlays from the embed directly by javascript, but a more robust solution would be to modify the flash player to call an XML file with the parameters to add to the overlay.

I'm on ICQ (as you asked as I rarely fire up ICQ), but won't be free to chat freely for ~1hr or so.

Better to send me an email with your ICQ and I'll hit you up

http://www.asiandivagirls.com/gfy/juicy-reped.jpg

Excellent post - thread subscribed to... :thumbsup

ADG

Oh, I agree. Even just an md5 hash of the username or person's real name would work. It should be hidden as much as possible. Even just a number that flashed on for 1 frame every 60 seconds or so would probably work. You could rotate where it appears in the video too so they can't just blur out one area to hide it. There should be more than one physical tactic used though so if they find one do something to get around it (e.g. rip out the file tags) you have another option to fall back on.

Quick and simple way would be to issue every member with a unique tansp png file thats called via a flash var in the XML file and and placed at random in the view window of the player. :2 cents:

That would work as long as the Secure Token works, but if it gets cracked the stream recorders will get the clean video with no identifiers. Using xuggler you could embed the identifiers in the stream itself so even if the Secure Token is cracked the identifiers are still there.

You can allready buy porn on TV over here, They have pay per view channels so you only pay for 1 nights viewing and you dont have to subscribe to it like a paysite. Its been out for years

:(

Never got an answer.

Yes, it is quite secure.

fuck sorry!!

nope (they will never guess the location and "grab it") - the secure token is only used during the handshake between client and server. You can not prevent the end user knowing the stream/URL or where the content lies but...

1. You should be checking access levels/permissions before you diss up the page that contains the movie embed URL
2. The movie should *never* be accessible from a web server by a direct call
3. eg rtmpe url:

rtmpe://stream.domain.com/members/big_tits_n_ass/01/movie.mp4

tells the streaming server that the application to use (the one that checks for secure token, referrer, memberlogin credentials if supplied) is called "members"

this calls the application-specific config file which states where to find the files (NTP mounts no problem)....

Lets say, your apache root is /var/www and your streaming server's application "members" says content is stored in /content

stuff in /content is only available to the streaming server, not apache. The streaming server will look for the file:

/content/big_tits_n_ass/01/movie.mp4

and stream it - apache can't even touch it.

No way should the movie content directory be accessible from apache - only the streaming server, which already requires lots of paramters to be filled in (see point 3 of OP) before it will even start streaming....

New way to prevent piracy: create, build and launch products/ideas that are not-piratable.

Take notes Robbie. This is how you gain respect, by posting something useful and not you personal tales of greatness.