GFY EDUCATIONAL SERIES: How to prevent Piracy - A new way.

but how would that survive transcoding?

We already have this, Cop-Cms has been developed from the open source software Phash. It uses a multi threaded hasher and checker and infringes on no patents. Furthermore it can be run on very low end servers. We would be willing to let the technology into the industry to allow others to further develop it. It uses both video and audio components.

Thanks,

David

All ingenious is simple

how much of talk and how much advice, but definitely need a very good understanding of how to do it all and that would work and not slow down the portal

me to this helped me out

Great article!

Hi borked,

Great thread there, you made me post after years of lurking

Unfortunately it spiralled down from flv DRM to the wonders of image recognition, se lets go back for a little.

What i'm interested in is a real (that is, not yet cracked) DRM seriously stopping power users and warez scene from sharing the content online.

Few points about your suggestions:

• http progressive - kids play, quite a lot know to use dwhelper
• rtmp/rtmpe in wowza is all cool and nice, however all this is simply circumvented (including sessions, tokens..) by freely available rtmpdump/rtmproxy and GUI clones based on it.

Not much people know about rtmp ripping, but it is expected to progressively get worse (i'm looking forward for rtmpdump support in dwhelper .

The truth is, progressive/f4v streaming is cheaper since you'll sacrifice wowza beast which provides only thin layer of false sense of security at the significant expense of server resources..

Few points about content recognition:

• Watermarking is deterrent only for casual pirate, and those usually dont do much harm since they dont know how to mirror the site en masse.
• The analog hole/screen capturing is too slow/tedious/lofi for real-world rips
• What is important is to prevent warez scene siterips, this is the real cat and mouse.
• Siterips are usually performed by web scraping bot and member bruteforced l/p combo or using stolen credit card data. Trying to prosecute the card owner wouldn't do much good (in addition to ccbill chargeback).

So, are we screwed or not?

IMHO: It can be done if you're willing to play the cat & mouse.

DRM is tricky. Adobe with RTMPE were foolish enough to drink the cool-aid...

However they've left the door open for clendestine solutions....

since Flash 10 it is possible to to fetch some data, mangle it, and pass it to flv decoder (NetStream.appendBytes), all inside the swf...

The idea would be:

on server:

• encrypt the stream on server using aes key

in browser (as3/swf):

• fetch the stream (urlloader, sockets, whatever)
• some huge obfuscated blackbox generates same key as server and decrypts the stream
• pass the raw flv to the video object for display

When someone manages to crack this (HUGE reverse engineering effort), just change the obfuscated blackbox inside the swf and start over again. Perhaps tedious, but plug-in DRM is imho the only effective way i can think of.

Now I am curious, would there be market interest in doing it this way? Possibly as a managed service, so users of such a solution would be shielded from the cat&mouse mentioned. Probably with some guarantee that the site cannot be readily ripped and published as a single torrent.

Is there any other way without constant blackbox updates to keep pirates at the bay?

so glad I brought you out of lurking...

Why do you say this - if you can give me an example of an app that can rip an rtmpe stream that is secured with "SecuredToken" or similar, I'm all ears.

Why playing down wowza? This is a commercial solution, but the same could be implemented (not my forté) with lighttpd. you just need rtmpe+ST


The rest seem interesting comments but until the first line of defence is broken why consider the next?

For over two years I've had guys telling me how "easy" it would be to do rip my vids...and so far there is not one software available that can download these vids. I've had at least a dozen guys give it a shot and all failed.

Is Borked's solution the same as the one Stickyfingerz and Robbie have?

I just searched 'Claudia Marie' at filestube.com and on the first page of search results are videos watermarked ClaudiaMarie.com, as well as scenes with her from other sites which i realize you have no control over - the links to the files stored at Filesonic, Oron are as of the moment working.

There are older movies from 2007 before I started protecting my stuff out there. RYC goes and DMCA's them down.

Also...I freely give a downloadable version for each scene as well...but it's a tiny resolution and very low bit rate version.

Trust me...they aren't downloading the high res stream. Not saying that someone couldn't figure out a way to do it...but no software (including Replay) can even find the video, much less download it.

that's good then, are you using borked's method or something else?

exactly the false sense of security i'm talking about, ignorance is bliss..

rtfm....
Go play for yourself.

The problem is, of course, that RTMPE is just mere weak obfuscation (the key is computed from .swf sha256).

The source .swf is all you need for successful proxying via rtmpsuck. the token is just simple _connection.call("secureTokenResponse", null, "blahblah"); hardcoded in the .swf ... does not matter, rtmpsuck just follows the session along and hops on the play packet.

Note that securetoken wowza plugin *does not* encrypt the flv data (aside the initial RTMPE obfuscation), it just authorizes the current session to issue the play call. It relies on the already broken Adobe scheme, which is why you need to go great lengths if things should be really hard to break.

Not sure about if there are any working windows GUI tools, however rtmpdump is what is used for real-world browser automaton scraping (see my rants about complete siterips).

note: Yes, I am somewhat involved with mplayer/ffmpeg/rtmpd folk. Don't hate em, you're all using the same shady ffmpeg nonetheless..

Nice thread bro I love people that take the time help others like that The tutorial rocks!!

On the other hand, I'm not saying at all this schemes are not valid or should not be taken into consideration, still, if the end user is able to watch the movie, then its just about how complex and time consuming the leecher wants to spend on the reverse engeneering process ....

And when it comes to watching a stream, there is a server which sends it ( encrypted or not ) and the end user who renders that stream ( encrypted or not ), at the end, its all raw information, an experienced leecher would just have to hook the appropiate syscall/DLL call after the stream is decrypted and he has the full stream as if he downloaded it ....

Again, i think its an interesting thing to discuss about letting end users download or not the movies to prevent piracy, but i think thats the discussion we should focus on, not in just protecting out movies, believe me on this one, the leechers, the big ones .... Usually are very experienced users with enough knowledge to do this or have plenty "hacker" friends close who would easily make a DLL/syscall hook for him to achieve this stream encryption bypassing.

So the question here is, are the average end users who we are targeting on selling memberships and actually buy them the ones that leech content, or its only a bunch of guys that join, download all content and then upload it to major tubes, torrents, etc?

If we are talking about this bunch i mention, forget it, all you mentioned wont secure the stream, now if an important % of the pirated content comes from the average end user, then its worth the try.

I think the only good way to know this, would be that some big player starts fingerprinting their movies, if we start finding all their movies with only a bunch of fingerprints, then as i told you, forget it, its a bunch of specialized leechers you can't fight, if we find out thousands of different fingerprints, then the average user is becoming a threat and we should stop letting them download movies. Problem is, today most major big players are involved somehow in piracy, so who would give the step and fingerprint their movies to check this???

Why not just implement it still? Because i personally like downloading movies and i think lots of end users do too, to watch it on their TVs, have it on their collections, etc, and not necesarily to pirate it, so, if that end user is not the problem, it would be a bad choice from a marketing point of view disabling them from the ability to make the downloads.

My two cents.

LOL, finally i see some real coders here ;)

Bro, why bother reverse engeenering a stream when you can simply fetch it already decoded at the end users computer with a simple dll hook?

All you say its great if you are trying to sniff the connection, but for what we are talking, an end user ( Leecher or not ) grabing the content, they don't need to reverse engeneer the stream, they just have to wait the stream to be decrypted and save it via the syscall/dll hook

btw, catch me up anytime you want, its been years i don't hear someone speaking that "language" Lets keep in touch