Slashdot Mirror
'DVD Jon' Breaks Google Video Lock
WillemdeMoor writes "Yahoo News runs a story on Jon Johansen, aka DVD Jon, cracking Google's in-browser video player. Addict3d.org has some more details, including links to Johansen's patch (Win32 executable) and Jon's blog entry at nanocrew.net."
"'DVD Jon' Breaks Google Video Lock
:p ... Talk about a sensational news article :)
Johansen, also known as 'DVD Jon' for his work on decrypting DVD security codes, has created a patch for the Google Video Viewer--less than 24 hours after the search giant shipped the video playback plug-in, a tool based on the open-source VideoLAN media player.
The patch, released on Johansen's 'So Sue Me' blog, effectively disables a modification Google made to the VideoLAN code to prevent users from playing videos that are not hosted on Google's servers."
ROFLMAO!?! Ahahahahaha
Jon made a modification to an OPEN SOURCE media player, removing a trivial protection, and Yahoo news posts a story about him cracking yet another protection mechanism, implying parallels with his past work. This news then spreads to Slashdot.
Awww, come on... I've made countless little mods to open-source apps in order to get them to behave the way I'd like. I've never gotten news coverage for adding "//" before an 'if(condition)' statment.
You can skip the articles they don't tell you much other than what is in the Slashdot Summary. However, the blog entry has the code part on it. Here are all the articles including code entry...
.Net run-time framework, will remove Google's restriction and allow the playback of video files that aren't on the video.google.com server.
6 ,00.asp
// Google mods
.NET runtime.
Story:
Ryan Naraine - PC Magazine Tue Jun 28,10:49 AM ET
Norwegian hacker Jon Lech Johansen has cracked the lock on Google's new in-browser video player.
Johansen, also known as 'DVD Jon' for his work on decrypting DVD security codes, has created a patch for the Google Video Viewer--less than 24 hours after the search giant shipped the video playback plug-in, a tool based on the open-source VideoLAN media player.
The patch, released on Johansen's 'So Sue Me' blog, effectively disables a modification Google made to the VideoLAN code to prevent users from playing videos that are not hosted on Google's servers.
Johansen said the patch, which requires the
The 21-year-old hacker, who faced two trials in Norway in 2002 and 2003 for his role in the release of the
DeCSS decryption software, is a hero to many for his efforts to defeat DRM (digital rights management) mechanisms built into media player technology.
He has been involved in a public cat-and-mouse game with Apple Inc., releasing several tools to bypass the DRM software used to encrypt music sold on the iTunes Music Store. LINK TO: PyMusique Unlocks iTunes Copy Protection. Again. http://www.extremetech.com/article2/0,1558,177952
Johansen has also cracked Apple's AirPort Express's encryption and released a proof-of-concept program that allows
Linux users to play video encoded with Microsoft's proprietary WMV9 codec. The proof-of-concept is based on the VideoLan code.
Addict3d.org more details:
Jon Lech Johansen, "DVD Jon", took just one day to build a crack to allow you to play video on your website using Google's VLC-based player.
This means you can publish video that will play on your webpage and will work for anyone who has Google's player installed.
Johansen, also known as 'DVD Jon' for his work on decrypting DVD security codes, has created a patch for the Google Video Viewer--less than 24 hours after the search giant shipped the video playback plug-in, a tool based on the open-source VideoLAN media player.
Crack can be found here -
http://nanocrew.net/wp-content/GVVPatch.exe
http://nanocrew.net/?p=114
Blog Entry:
Google has released Google Video Viewer, a browser plugin based on VLC. Here's one of the features they've added:
+
+ const char* allowed_host = \"video.google.com\";
+ char * host_found = strstr(p_sys->url.psz_host, allowed_host);
+ if ((host_found == NULL) ||
+ ((host_found + strlen(allowed_host)) !=
+ (p_sys->url.psz_host + strlen(p_sys->url.psz_host)))) {
+ msg_Warn( p_access, \"invalid host, only video.google.com is allowed\" );
+ goto error;
+ }
This "feature" prevents you from playing videos that are not hosted on Google's servers. Download and run this patch I wrote to remove this restriction. Running the patch requires a
Quality Hosting e3 Servers
So, in other words, he modified the source code, which was being distributed. They didn't attempt to obfuscate that they didn't allow it from other hosts. They didn't entangle the code or anything. The code was wide open.
In other words, big friggin deal. All you had to do was grep the code of an error message and a little snipping of the code. Any fool could have done it. Or even screw that, it was domain-based. Setup an HTTP server, modify your hosts file to alias "video.google.com" (or whatever the domain was) to 127.0.0.1, and you're done. Or just modify VLC to know the MIME type "application/x-google-vlc-plugin" and you can play your heart away.
What "crack" will he do next? Take the VLC code to dump the file/stream you're playing, add it to Google's code, and create a Google Stream Ripper? Wow... how... amaz... ing. Or maybe add some awesome skins to the Google player? Yeah, that'd be great. Best part of all, he'll do it in 48 hours, while standing on his head, without sleeping, pizza, or coffee, and while playing the banjo!!!
Free of Flash! Free of Flash!
From the article, the only protection was limiting the allowable sources to video.google.com and adding a new mime type.
Not to undermine Jon, just noting why it took him 24 hours to break this - It was not designed to withstand much of an attack.
Nontheless, most users won't patch, so it will work anyway.
Michael
There is no cryptographic solution to the problem where the intended receiver and the attacker are the same entity.
Cmon Google.
Get your own free personal location tracker
What's up with Google releasing all these Windows-only apps, anyways? Really, now.
Before everybody starts criticizing Jon... please remember that he's actually not publicising this as being a huge crack operation, it's the sites which are publicising his hack which are. He's just made a minor fix to a program, nowhere on his Blog does he say "OMGZ I HAX0R J00!" Infact he documents the exact way he did it to show that he didn't actually do anything complex.
My 3D Texturing Skinning work (under construction)
Quote:
This means you can publish video that will play on your webpage and will work for anyone who has Google's player installed.
That part is highly misleading! The people who want to view video on your website each individually need to download the patch! It's not very useful to content providers with this restriction.
How about users? Who would download this patch? Well, people who want to watch videos tagged with application/x-google-vlc-plugin that aren't from google. Not too many of these...
Or they will more intelligently do neither saying "Anyone can modify our open source client to do whatever they want, for whatever reason they want."
Do you really think google doens't understand open source?
all DVD Johny did was remove an if statement that checks is the URL is from google or not...
the upshot is you get a VLC plugin that can read some propriatary MS formats (thanx to google paying the bill for those software royalties)
it seems so easy that it's as if Google was just waiting for someone to come in and hack it.
I would rather be ashes than dust!
I think we should all remember that just because Google is the pinnacle of success and is second only to (insert your diety here), Google too can make mistakes.
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
If you check out the blog, you'll see that there's a nice goto at the end of the if statement.
Supposedly Google only hires top-coders, so what's up with that?
Various anti-piracy groups are pressuring congress to pass an extention to the DMCA laws, which will effectively outlaw commenting out parts of computer code. Under the new law it will also be illegal to manufacture a computer keyboard with the forward slash '/' key.
What a fabulous idea! I'll get right on it!
Thanks,
Sen. Orrin Hatch
"DVD Jon cracks MythTV to record video from a TV Tuner"
Being funny is my sig nature.
Yahoo News is not a news agency, its just a feed from the Associated Press or Reuters. Yahoo hosts the content from the feeds, that is all.
In his defense though, it's the news source, Yahoo, sensationalizing his mods and not his own blog entry (i.e. he doesn't claim that this is some grand crack). His candor in his blog entry doesn't even hold up to the grandiose imagery of a scheming, brilliant hacker striking another blow against "the man" as painted by Yahoo. I actually feel sort of sorry for the guy given the magnitude of the patch being so inflated.
Or they will more intelligently do neither saying "Anyone can modify our open source client to do whatever they want, for whatever reason they want."
Do you really think google doens't understand open source?
I think you make a very good point. This is perhaps more of an example of Google "doing no evil", creating a tool that, by default, for most casual users, promotes their video feed, while at the same time using a good free software project that allows those who want to, to bypass this setting.
If most people find the restriction onerous, they'll download a patched version (probably from websites that are also offering video). Social and market dynamics can take care of the rest. It seems a fairly reasonable position for Google to take ("we'll try this restriction, and if people really find it offensive, they'll modify the source and outcompete our offering, and we can write it off to experience and not try imposing these sorts of restrictions again. Either way, it probably won't affect our video feed business much.")
I doubt very much it is incompetence--google has much of the best talent around--nor is it a lack of understanding opensource/free software on the part of google, as they've been active in the community for many years.
The Future of Human Evolution: Autonomy
http://code.google.com/patches.html
:)
With that link, and a little knowhow, you, too, can crack the code and make your own Google Video viewer. The upshot is that you can compile it for Linux (Google has only released it for Windows). The downshot is that I'm surprised it took Jon so long to make the change.
It's not like it was hard to find... go to http://video.google.com/ click on "Install", and then click on "Get the source code". It's under "patches".
If you believe everything you read, you'd better not read. - Japanese proverb
A single ampersand will do a bitwise AND with 0 -- which is always 0 -- so you can actually do it with just two added characters.
Does this make me a master hacker?
Ooh, a sarcasm detector. Oh, that's a real useful invention.
Who are "we all"? You think you're a member of some kind of team? Who's to say who's honorable and who are the good guys? This guy did something of interest to him and nothing more. His ideology is simply different than yours and, in his view, google did something sufficiently "evil" (in your words) to merit a response. He doesn't answer to you or to some imaginary "geek community".
Google RSS feeds:
Google releases Google Maps
Google releases Google Desktop Search
Google releases Google Web Accelerator
Google releases Google Video
Yahoo RSS feeds:
Are Google Maps an invasion of your privacy?
Is Google Desktop Search working *too* well?
All about your privacy and Google Web Accelerator: The secret agenda.
Google Video cracked within 24 hours. And privacy.
Here's reaction: It's not hacking, it's just compiling. We gave the world the patch for god's sake.
Co-Editor, Open Sources
Open Source Program Manager, Google, Inc.
Did anyone notice the entire Matrix Revolutions is available there in Google Video? Pretty cool. You might think it's just 30-second clips, but hit "Play whole video" and off it goes. Whole movie. Wondering if this is a special "show-off" case google snuck in, or a black-hat's upload?
see this link for the video
Evan - needs to hit preview before submitting