Adobe Flaw Allows Full Movie Downloads For Free

← Back to Stories (view on slashdot.org)

Adobe Flaw Allows Full Movie Downloads For Free

Posted by Soulskill on Friday September 26, 2008 @03:52PM from the it's-not-a-bug-it's-a-feature dept.

webax writes with this excerpt from Reuters: "[An Adobe security hole] exposes online video content to the rampant piracy that plagued the music industry during the Napster era and is undermining efforts by retailers, movie studios and television networks to cash in on a huge Web audience. 'It's a fundamental flaw in the Adobe design. This was designed stupidly,' said Bruce Schneier ... The flaw rests in Adobe's Flash video servers that are connected to the company's players installed in nearly all of the world's Web-connected computers. The software doesn't encrypt online content, but only orders sent to a video player such as start and stop play. To boost download speeds, Adobe dropped a stringent security feature that protects the connection between the Adobe software and its players." webax also notes that the article suggests DRM as a potential solution to the problem.

166 comments

Ixnay ehtay olehay iscussionday by Anonymous Coward · 2008-09-26 15:56 · Score: 5, Funny

Eriouslysay.
1. Re:Ixnay ehtay olehay iscussionday by Anonymous Coward · 2008-09-27 00:15 · Score: 0
  
  If I go to Amazon's video on demand service I get "Looking for something? We're sorry. The Web address you entered is not a functioning page on our site." Have they pulled the service, or is it failing because I'm abroad?
2. Re:Ixnay ehtay olehay iscussionday by redJag · 2008-09-27 14:40 · Score: 1
  
  I wouldn't think a respectable company like Amazon would discriminate against broads. On a side note, the site seems to work for me.
3. Re:Ixnay ehtay olehay iscussionday by Anonymous Coward · 2008-09-27 19:11 · Score: 0
  
  Sure, if you shove it down my throat real hard, and have big fists.
  But you have to lick my feet!
Doublethink by QuantumG · 2008-09-26 15:56 · Score: 5, Insightful

Wow, so even Bruce Schneier is subject to the DRM double think now? What part of this is hard to understand? You have to give the viewer the key so it can decrypt the video stream and play it to the user.. if the user can see it, the user can record it. Game over. No amount of "encryption" can change the facts.

--
How we know is more important than what we know.
1. Re:Doublethink by The+Iso · 2008-09-26 16:00 · Score: 5, Informative
  
  Schneier didn't write the article. He is only quoted briefly.
  
  --
  "You don't need a weatherman to know which way the wind blows." - Bob Dylan
2. Re:Doublethink by Anonymous Coward · 2008-09-26 16:02 · Score: 4, Funny
  
  From TFA:
  
  To boost download speeds, Adobe dropped a stringent security feature that protects the connection between the Adobe software and its players." webax also notes that the article suggests DRM as a potential solution to the problem.
  Whoa. Just...whoa. Friday night cognitive dissonance too much to handle!
3. Re:Doublethink by QuantumG · 2008-09-26 16:03 · Score: 2, Funny
  
  I know, I actually read the article. Strange to be sure.
  
  --
  How we know is more important than what we know.
4. Re:Doublethink by The+Iso · 2008-09-26 16:10 · Score: 1
  
  I should assume such. You are marked as a friend, so evidently I judged at some point that you are an intelligent man. Still, I don't see how you could infer from this article that Schneier endorses DRM. He calls Adobe's design "stupid" without going in to detail, and isn't mentioned again.
  
  --
  "You don't need a weatherman to know which way the wind blows." - Bob Dylan
5. Re:Doublethink by QuantumG · 2008-09-26 16:14 · Score: 1
  
  That he would say their design is stupid suggests that he believes *some* design exists to do what they want, which is not stupid. His comment, if any, should have been "that's not possible anyway, so Adobe's design is as good as any".
  
  --
  How we know is more important than what we know.
6. Re:Doublethink by Anonymous Coward · 2008-09-26 16:15 · Score: 1, Funny
  
  Or maybe you marked him as "friend" in order to taunt him after he temporarily marked you as a foe.
  He's an easy tweak like that.
7. Re:Doublethink by lysergic.acid · 2008-09-26 16:24 · Score: 3, Insightful
  
  yea, i think Adobe did the smart/sensible thing by leaving the stream unencrypted to boost download speeds. performance and speed are major considerations for streaming media.
  like you said, you ultimately have to give the user access to the unencrypted data so that they can view the content. so if they had done what the author suggests they should have done, then they would have just ended up with a streaming technology that's slower & wastes more bandwidth, and the DRM scheme still would have been easily bypassed by hackers.
  it's pointless to apply DRM to web content, as it is with offline content. it's always amusing to see website developers try to prevent visitors from saving images from the site--which is especially annoying when they use JavaScript to disable right-clicking, as if that'll stop anyone from saving an image to disc when it's already on their hard drive. these petty tactics simply insult visitors to the site and create a major annoyance for anyone who simply wants to access a command from the context menu. but i guess driving visitors away and decreasing the traffic to your site would reduce the chance of people steeling your precious lossy, lo-res jpeg images.
8. Re:Doublethink by lysergic.acid · 2008-09-26 16:28 · Score: 1
  
  hey, i know the best security method if you don't want people having unfettered access to your video content--don't stream it over the internet.
9. Re:Doublethink by David+Jao · 2008-09-26 16:34 · Score: 4, Interesting
  
  The dumb part here is that they send the whole movie to your computer even if you're just watching the free two-minute preview. The two-minute restriction is only enforced in the flash applet. Now, no amount of DRM can stop a paying customer from copying the movie, but a smartly designed system could certainly make the customer pay for the movie before giving the whole movie to them.
10. Re:Doublethink by Free+the+Cowards · 2008-09-26 16:38 · Score: 1
  
  He may have been commenting about the part where they send people the entire movie before they've paid for it, so that it can start playing sooner once they pay. That is a truly boneheaded move regardless of what you think of DRM.
  
  --
  If you mod me Overrated, you are admitting that you have no penis.
11. Re:Doublethink by Free+the+Cowards · 2008-09-26 16:52 · Score: 1
  
  A design which does not stream the entire movie to a user before he's even paid any money could qualify as "not stupid".
  
  --
  If you mod me Overrated, you are admitting that you have no penis.
12. Re:Doublethink by Anonymous Coward · 2008-09-26 17:05 · Score: 0
  
  Whoa. Just...whoa. Friday night cognitive dissonance too much to handle!
  It's Presidental Debate Night, duh.
13. Re:Doublethink by peter · 2008-09-26 17:35 · Score: 1
  
  As others have said, streaming un-paid-for unencrypted video is dumb.
  You could send the first couple minutes unencrypted since anyone can watch it free (preview). Then start streaming the rest encrypted, and send the decryption key when the user pays. It doesn't have to be DRM, it could just decrypt the file.
  
  --
  #define X(x,y) x##y
  Peter Cordes ; e-mail: X(peter@cordes , .ca)
14. Re:Doublethink by Spy+der+Mann · 2008-09-26 18:02 · Score: 5, Insightful
  
  The dumb part here is that they send the whole movie to your computer even if you're just watching the free two-minute preview. The two-minute restriction is only enforced in the flash applet.
  Web programming 101.
  Children, repeat after me: When you program for the web, NEVER, EVER trust the client.
15. Re:Doublethink by TubeSteak · 2008-09-26 18:02 · Score: 4, Insightful
  
  Now, no amount of DRM can stop a paying customer from copying the movie, but a smartly designed system could certainly make the customer pay for the movie before giving the whole movie to them.
  Having the preview show you a preview length clip is not a "smartly designed system" it is basic common sense.
  Any site that try to protect their content with stupid tricks instead of creating separate content for the preview honestly deserve what comes their way.
  I guess content providers have to make a decision as to which is cheaper &/or better:
  1. Licensing DRM
  2. Buying extra hard drives to store preview clips instead of streaming from the full movie/audio/whatever
  
  --
  [Fuck Beta]
  o0t!
16. Re:Doublethink by QuantumG · 2008-09-26 18:30 · Score: 1
  
  Which would still, in no way, stop the user from copying the film.. which is the point of the article. I don't know where you got the idea that they were just trying to stop people from getting more than the teaser.
  
  --
  How we know is more important than what we know.
17. Re:Doublethink by Anonymous Coward · 2008-09-26 18:44 · Score: 0
  
  Rrrright
  The guy whom every slashdotter quotes when they want to show why DRM is theoretically infeasible would just suddenly change his mind and announce it in a subtle and off-hand comment quoted as a sound-bite in an article with a focus on a peripheral topic.
  Or
  There is a larger context to the quote, but you've typed yourself into a corner and can't just suck it up and admit you made a dumbass comment and then let ... it ... go.
18. Re:Doublethink by Anonymous Coward · 2008-09-26 19:05 · Score: 0
  
  <step away from the books> I repeat: This is the TGIF police department <step away from the books>
19. Re:Doublethink by WTF+Chuck · 2008-09-26 19:17 · Score: 1
  
  2 minute clip, 2 hour movie. If I didn't know what the movie was about, and didn't like the preview, I'd be awful pissed at wasting the bandwidth to DL the whole thing. I'd probably go the extra yard though, wasting a lot more bandwidth, and torrent the thing just for spite.
  
  --
  Note - Liberal use of <sarcasm> tags may or may not need to be applied.
20. Re:Doublethink by QuantumG · 2008-09-26 19:33 · Score: 0, Flamebait
  
  Huh? Bruce Schneier has shown numerous times that he's a complete dick who is on par with Dvorak in his trolling and whoring self promotion. This is the guy who said for years that strong encryption was the bee's knees of security and we need not concern ourselves with all those lowly details of implementation, etc. He had to make a public apology for his blasé attitude to matters of security outside his personal little kingdom of encryption when he was shown up for commenting so stupidly outside his field.. then weeks later he was once again claiming the rock star security guru title. I think a lot of people buy it simply because he has a nickel more common sense when it comes to security matters than the average bear but he's not infallible.
  
  --
  How we know is more important than what we know.
21. Re:Doublethink by Anonymous Coward · 2008-09-26 20:26 · Score: 0
  
  Cite it or get off the pot.
  But regardless, attacks on his character are not even close to be a plausible rebuttal.
  I think you are off your meds again.
22. Re:Doublethink by MichaelPenne · 2008-09-26 20:41 · Score: 1
  
  Any site that try to protect their content with stupid tricks
  Actually, what they did was trade-off stream security for the user experience - if the stream does pre-load, then the viewer can start viewing the movie much faster after they pay.
  Its actually kind of a _good trick_ if enough of your users do pay, as they get the video they pay for much faster (since it's already pre-loaded) than if the paid content was sent in a separate stream that did not start until after the payment was processed. Faster viewing may = happier viewers = more use of the service.
  Mainly, this is an artifact of delivering video via http/progressive download vs. rtsp - you have a few options:
  1. deliver one stream - tradeoff - geeks can view for free
  2. deliver two streams - tradeoff - slow, annoying start up while you wait for the second stream to load enough to start playing
  3. use rtsp - tradeoff - reduces the quality of the video to match minimum bandwidth between the server and the viewer
  I guess a system designed by a video geek would probably lean towards providing the best quality viewing experience while making it possible for a geek to get the video for free:-).
23. Re:Doublethink by QuantumG · 2008-09-26 20:45 · Score: 1
  
  Meh, you suggested that I was somehow "typed into a corner" and so I needed to make up some reasoning for why the great Bruce Schneier might be wrong. I was simply explaining that I've always thought he was wrong on most everything he says that isn't just plain common knowledge of professionals in security fields. He has said that DRM is "in principle" just not a workable idea.. and he has commented on particular DRM schemes and why they are broken. His general stance is common knowledge.. it also happens to be naive. There are plenty of places where client-side restrictions *can* be effective - if the implementers are willing to shoulder certain costs - namely, changing the mechanism regularly. This is the kind of technique that encryption experts call "security through obscurity" or "mere obfuscation" and look down on as unworkable.. but it is workable - it's just not very cheap. His specific commentary on DRM solutions, when not completely obvious, is typically misguided. That is to say, whenever he tries to say something that is actually of any worth - he gets it wrong. This is my opinion. Yours may differ. But don't go saying that I'm lying to "get out" of a corner or something.
  BTW - if you're just trolling me, congratulations.. I don't know why I keep responding to ACs. Just glutton for punishment I guess.
  
  --
  How we know is more important than what we know.
24. Re:Doublethink by KGIII · 2008-09-26 21:09 · Score: 1, Troll
  
  On /. DRM doesn't mean what it really means and they won't bother checking the beloved wikipedia. DRM != Copy Protection but Copy Protection is one form of DRM. They will ignore the meanings and say it is "Digital Restrictions Management" because they don't like the real meaning. I can't, and wouldn't, presume to speak for Bruce so I won't. Either way, here it means something other than what it means in the real world.
  
  --
  "So long and thanks for all the fish."
25. Re:Doublethink by Anonymous Coward · 2008-09-26 21:09 · Score: 0
  
  Where is this public apology you freaking dissembling fruitcake?
  Where?
  You just keep painting and painting and that clear space in the corner keeps getting smaller and smaller.
26. Re:Doublethink by QuantumG · 2008-09-26 21:13 · Score: 1
  
  Copy Protection is one form of DRM, yes.. I haven't seen anyone on /. suggest otherwise. Bruce typically refers to "client side restrictions" instead of saying "DRM" is any case.
  
  --
  How we know is more important than what we know.
27. Re:Doublethink by QuantumG · 2008-09-26 21:19 · Score: 1
  
  I don't have bookmarks from YEARS ago asshole. Go find it yourself. For fuck sake. It was comedy value at the time but it was hardly worth putting in my scrap book. Fucking hell.
  
  --
  How we know is more important than what we know.
28. Re:Doublethink by QuantumG · 2008-09-26 21:32 · Score: 1
  
  http://www.schneier.com/crypto-gram-0008.html
  "I came to security from cryptography, and framed the problem with classical cryptography thinking. Most writings about security come from this perspective, and it can be summed up pretty easily: Security threats are to be avoided using preventive countermeasures.
  For decades we have used this approach to computer security. We draw boxes around the different players and lines between them. We define different attackers -- eavesdroppers, impersonators, thieves -- and their capabilities. We use preventive countermeasures like encryption and access control to avoid different threats. If we can avoid the threats, we've won. If we can't, we've lost.
  Imagine my surprise when I learned that the world doesn't work this way."
  Imagine how unsurprised the rest of us were.
  
  --
  How we know is more important than what we know.
29. Re:Doublethink by Anonymous Coward · 2008-09-26 21:36 · Score: 0
  
  Lol THAT is a "public apology" for a "blasé attitude to matters of security?"
  You clearly have a reading comprehension problem, which I guess would explain why you started this thread in the first place.
30. Re:Doublethink by Anonymous Coward · 2008-09-26 21:41 · Score: 0
  
  I know, I actually read the article. Strange to be sure.
  Don't worry, you'll get the hang of this place soon: post FIRST (and FIRST POST if you can), RTFA... never! :-)
31. Re:Doublethink by QuantumG · 2008-09-26 21:57 · Score: 1
  
  well, that's the only link I could find.. and frankly, I can't really tell if he's just faking ignorance to claim that he had some kind of epiphany that you too can share, if you just go buy his book. In fact, the apology is likely in said book which was considered hilarious by everyone in the security industry at the time. "Bruce Discovers Cryptography Can't Cure Cancer" and such. I guess you've gotta have someone to say the obvious things.
  
  --
  How we know is more important than what we know.
32. Re:Doublethink by zip_000 · 2008-09-26 22:40 · Score: 1
  
  I visited a site a few months ago that had all the standard annoying things...the ones that I remember now are the disabled right-click and not working in anything other than IE. So, I sent them an email explaining why this was such a bad business decision - thinking that it would make me feel better even though they would never change anything. I had to go back to that page a few weeks ago, and amazingly, they had fixed everything that I complained about. I was stunned.
33. Re:Doublethink by logicmethod · 2008-09-26 23:11 · Score: 4, Insightful
  
  Flash Player has had the critical flaw of not being able to cancel HTTP requests for years. This causes all kinds of problems for Flash / Flex developers across the board, not only for media streaming applications. Adobe has finally implemented a fix in Flash Player 10--which should be out of beta in the next few weeks--that allows the developer to actually cancel a request and stop the stream. The development community has been bringing this to Adobe's attention for years, and why it has only yet to be addressed is beyond me--it seems so basic. I agree that it isn't a great idea to use the actual media for a preview versus creating a separate preview version, but this flaw makes it extremely easy to grab any file that Flash requests.
34. Re:Doublethink by Antique+Geekmeister · 2008-09-26 23:15 · Score: 2, Interesting
  
  Lots of folks here need to review the Palladium toolkit, renamed 'Trusted Computing'. It's designed to lock files to applications to hardware, in a triad specifically set up to control what users can do with their files and make them unavailable except for owner authorized software with centralized key management. This sort of thing is _precisely_ what it was designed for: the security enhancements it provides are potentially useful, but DRM is clearly its fundamental purpose.
35. Re:Doublethink by electrictroy · 2008-09-26 23:39 · Score: 1
  
  Exactly. Even if Adobe had encryption, there are still ways to capture anything shown on the screen. One solution uses software to do screen image captures 10, 15, or 30 times a second. If that doesn't work, a less-elegant but still workable solution is to point a camcorder at the screen and press record.
  Although, I'm not sure why somebody would even *want* to capture streaming video. (1) Its bitrate is low and poor quality (typically 500 kbit/s). Plus (2) you can buy the content cheaply ($30-50 per television season) so it's not worth the effort to try to capture it (imho). Clicking "buy" on amazon is so much easier.
  
  --
  The government is not your daddy. Its purpose is not to raid middle-class neighbors' wallets and give it to you.
36. Re:Doublethink by squiggleslash · 2008-09-26 23:55 · Score: 5, Insightful
  
  Well, there are many points to the article, but one of them is that someone can watch the movie for free because Adobe's server software is set up to continue streaming the movies after showing the free "clip". That, indeed, is "stupid", it relies upon trusted client software. DRM is one solution to this problem, but another is not to stream content to people's PCs they haven't paid for.
  
  --
  You are not alone. This is not normal. None of this is normal.
37. Re:Doublethink by Anonymous Coward · 2008-09-27 01:36 · Score: 0
  
  Plus, the users who do just want the two-minute preview are going to be much happier when they don't have to download the full movie.
38. Re:Doublethink by Free+the+Cowards · 2008-09-27 02:27 · Score: 2, Insightful
  
  But we're not talking about the point of the article, we're talking about the point of Bruce Schneier's quote.
  If the user can copy your media after having paid for it, well, that's just how things are. But if the user can pirate your media off your own servers without ever having paid for it, that is downright stupid. Given the vagueness of Schneier's quote he could very well have been referring to that.
  
  --
  If you mod me Overrated, you are admitting that you have no penis.
39. Re:Doublethink by Anonymous Coward · 2008-09-27 03:25 · Score: 0
  
  Right, they could simply move to using two different files to stream previews and paid content. No?
40. Re:Doublethink by debatem1 · 2008-09-27 04:30 · Score: 2, Insightful
  
  "There is no cryptographic solution to the problem in which the attacker and intended recipient are the same person"
  When will they learn?
41. Re:Doublethink by Hynee · 2008-09-27 04:44 · Score: 1
  A design which does not stream the entire movie to a user before he's even paid any money could qualify as "not stupid".
  Which would still, in no way, stop the user from copying the film.. which is the point of the article. I don't know where you got the idea that they were just trying to stop people from getting more than the teaser.
  
  Err... yes it would. There are two "security" holes:
  
  You can download the whole movie without paying any money
  You can downdload the whole movie when you only pay for rental. You're supposed to pay ~4 times as much to have the right to download and save it.
  #1 is obviously the bigger problem or "security hole", because I would guess that hardly anyone would pay to "rent" from Amazon, when they can just download the movie from P2P. Problem #1 means Amazon Movies on Demand are basically a mixture of YouTube and The Pirate Bay.
  They could fix this by only streaming the first 2 mins for the free preview. Simple.
  --
  Damn, I already moderated this topic. Now I'll have to log in with my sock puppet to comment.
42. Re:Doublethink by Atlantis-Rising · 2008-09-27 06:07 · Score: 1
  
  I think that depends on how you define 'attacker' and 'intended recipient'.
  For example, logic would dictate that with conventional DRM schemes, the 'intended recipient' is not the person who bought the material, but rather the system which is authorized to receive it.
  That creates a different paradigm, to which there are many cryptographic solutions but similarly, to which there are dozens of attack vectors due to having the decryption hardware essentially in enemy hands.
  However, that's not to say it's at all impossible; it's just practically difficult. The solution is to create a ground-up secure system which relies on hardware tamperproofing, among other things.
  
  --
  "It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
43. Re:Doublethink by pv2b · 2008-09-27 06:47 · Score: 1
  
  Actually, this isn't as bad an idea as you might think.
  Consider what Adobe's goal in all this is. They want to be able to stream an entire video to your computer, in anticipation that you will pay for it. They could conceivably do this by transmitting the video to the presumptive buyer encrypted. At purchase, Adobe's servers would transmit the decryption key.
  Now, true, this won't do anything to stop anybody from copying the video *after* it's been paid for. But in this particular case, encryption technology *can* be used to solve the particular problem of being able to pre-stream video content to a potential buyer without allowing him to view the material, in a cryptographically sound way.
  I'm not sure if this would fit under the traditional definition of DRM though -- after all, the scheme I propose is cryptographically sound. :-P
44. Re:Doublethink by AgentPhunk · 2008-09-27 07:38 · Score: 1
  
  And while you're at it, DON'T get them wet, and NEVER, EVER feed them after midnight.
45. Re:Doublethink by lysergic.acid · 2008-09-27 07:58 · Score: 1
  
  in other words, giving consumers less control over the system they purchased, and handing that control over to corporate industries.
  so i guess i'm just leasing the computer i paid $2-3 grand for. i guess that's about right as that's pretty much how DVDs, CDs, downloadable music, ebooks, etc. already work.
46. Re:Doublethink by debatem1 · 2008-09-27 08:57 · Score: 1
  
  The goal of cryptography is not to protect mechanisms, it is to protect information. An attacker, then, is anybody who you do not want to have the information you are trying to protect, while an intended recipient is anybody you do want to have that information. So, if the world is divided neatly into customers and pirates, cryptography has powerful mechanisms to protect your interests. But if even one individual can be a member of both groups, cryptographic mechanisms will fail to provide security of any provable strength.
  You talk about authorized systems, tamperproof mechanisms, etc., but the problem runs much deeper than that. If it were just the misbehaving client problem we could fix the hole and move on with our lives. The issue is that the recipient has to have the information in the clear, and as long as you are willing to provide that you will run the risk of having that person spread that information. Even if you were able to 100% blackbox your machine, the end result would be the same- you would 100% securely retrieve the information, 100% securely process it, then 100% deliver it to a person who wants to spread it around the net.
47. Re:Doublethink by Atlantis-Rising · 2008-09-27 09:22 · Score: 1
  
  You miss my point. Encryption is about securing a communication between two points. The consumer, however, is not a 'point' because the consumer cannot decrypt the information (we do not all have built in decryption hardware in our brains).
  This is true of all modern cryptosystems, without exception. Rather, the system that conducts the decryption is the end-point.
  A cryptosystem is not designed to defend against an attack on the plaintext; that is, a cryptosystem does not exist that protects information that has already been decrypted.
  This is true of anything, though. Once plaintext information falls into the hands of a biological entity, it is at risk, and it doesn't matter how trusted that entity is (rubber-hose cryptanalysis) or anything else.
  DRM that fulfills the purpose of any modern cryptosystem is not inherently any more difficult than any other kind of cryptography.
  In short: Cryptosystems rely on machines, not people. No encryption extant can protect against plain-text theft, and it is not designed to do so. Neither is DRM.
  
  --
  "It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
48. Re:Doublethink by Atlantis-Rising · 2008-09-27 09:23 · Score: 1
  
  Why do you conflate 'purchase' with 'own'? The two are not synonymous. Leasing is not necessarily the only alternative, either.
  
  --
  "It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
49. Re:Doublethink by lysergic.acid · 2008-09-27 09:44 · Score: 1
  
  of course not. owning something doesn't require a purchase, and "purchased" doesn't imply current ownership. but those are petty semantics. the fact is, when you purchase something, you are trading money in exchange for the transfer of ownership--even if it's ownership of a license.
  even if we ignore the issue of consumer rights, unless the seller explicitly states otherwise, when you purchase something it's assumed that you are in fact purchasing that item--not just a license to use it (i hope i don't have to explain this tautology). but i guess you'd like for the purchase of CDs, DVDs, electronics, etc. to mean the purchase of a license to use those devices as sanctioned by corporate industries, and not true ownership of the items themselves?
  it seems like we're moving towards some form of twisted communist system whereby all physical property is owned by corporate industries, and individuals simply hold licenses to use "their" (i guess that word loses its meaning) computers, mp3/CD/DVD players, books, etc. within the terms specified by our corporate masters.
50. Re:Doublethink by debatem1 · 2008-09-27 11:32 · Score: 1
  
  That's my point. DRM *is* designed to protect against plaintext theft. The use of cryptographic mechanisms to secure the data from point A to point B is irrelevant when your endpoint is untrusted.
  The point about consumers not being endpoints is pretty much moot, however- whether it is on the network, in RAM, on the graphics hardware, or on the monitor, there is a point at which it will be in the machine and cleartext. At that point it will always be vulnerable.
51. Re:Doublethink by mabhatter654 · 2008-09-27 14:27 · Score: 1
  
  "There is no cryptographic solution to the problem in which the attacker and intended recipient are the same person"
  When will they learn?
  Um.. that's the entire point of Microsoft Vista! Xbox 360 works flawlessly... of course the owner of the machine is a "user" not an "owner" and the machine is not programmable. If you want real security you treat the end user as hostile.
52. Re:Doublethink by The+Iso · 2008-09-27 14:33 · Score: 1
  
  Is that you, MC Negro?
  
  --
  "You don't need a weatherman to know which way the wind blows." - Bob Dylan
53. Re:Doublethink by springbox · 2008-09-27 14:40 · Score: 1
  
  Yep. In a related issue, I wish (most) online games would stop trusting the client so much.
54. Re:Doublethink by debatem1 · 2008-09-27 15:06 · Score: 1
  
  My point is that even if you completely secure the machine, if the attacker and intended recipient are the same person, all you have done is make a very complicated system for delivering cleartext to your attacker. The intent of the system is irrelevant.
55. Re:Doublethink by Hurricane78 · 2008-09-27 19:24 · Score: 1
  This does not change a thing, because the system has by definition give it to the user in an unencrypted form.
  There are simple rules to this:
  The user has to sense it in a way he understands.
  There are recording devices for every computer output that humans can understand.
  If he can understand the original, he can understand the recorded copy.
  Now put your geek card on the table and slowly move away from the computer. We are taking you to the DRM hell.
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
56. Re:Doublethink by Atlantis-Rising · 2008-09-27 19:32 · Score: 1
  
  That's not necessary. We exist in a 'twisted communist system' whereby all physical property is owned by the government, and individuals and businesses simply hold licenses to use 'their' computers, MP3/CD/DVD players, books, etc. within the terms specified by their government masters.
  You don't believe me? Go ask a lawyer about fee simple and alloidal title.
  
  --
  "It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
57. Re:Doublethink by Atlantis-Rising · 2008-09-27 19:36 · Score: 1
  
  My point is that, in reply to the original post, which said:
  
  "There is no cryptographic solution to the problem in which the attacker and intended recipient are the same person"
  I am simply pointing out that that is not a problem that cryptosystems are designed to solve.
  Of course there's no solution- you're looking at the wrong problem.
  DRM, exactly what it says (Digital Rights Management) is a complicated cryptographic problem that can be solved technologically with correct systems design.
  There are a handful of tricks one can use in the vein of analog management, but they're just that- tricks, and not really secure systems.
  
  --
  "It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
58. Re:Doublethink by Atlantis-Rising · 2008-09-27 19:38 · Score: 1
  
  DRM is not designed to protect against plaintext theft. Notice it's called 'DIGITAL rights management'.
  Moreover, your argument that there will always be a digital point at which the information will be extractable cleartext is fallacious. That's simply a matter of correct systems design, nothing more complicated.
  
  --
  "It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
59. Re:Doublethink by Lost+Race · 2008-09-27 21:02 · Score: 1
  
  Also, you can NEVER, EVER put too much water in a nuclear reactor.
60. Re:Doublethink by Anonymous Coward · 2008-09-28 00:03 · Score: 0
  
  "yea, i think Adobe did the smart/sensible thing by leaving the stream unencrypted to boost download speeds."
  I can't tell if you're being facetious here. You do realize that encrypting a download stream (a) doesn't effect the network transfer rate, and (b) doesn't significantly increase the amount of streaming data, yes? This does not boost download speeds; suggestions that it does constitute poorly thought out arguments or deliberate red herrings.
  "ended up with a streaming technology that's slower & wastes more bandwidth,"
  Again, not bandwidth, not in any significant way. It might require a little extra processing power at the client end to decrypt the stream, which may cause delays between the reception of the stream by the client and the display of the stream -- but bandwidth is not the issue here, despite TFA.
61. Re:Doublethink by debatem1 · 2008-09-28 04:15 · Score: 1
  
  My God, you've figured out how to encrypt pixels! Genius! Let me know when you've got it working.
  Seriously, though, I'm not sure why you think that plaintext can't be digital, but it is most certainly the case that so long as your user does not have an in-brain decryption mechanism, it will be the machine's job to render unto them movies, music, and TV in such a way that they can process it. If this is the case, then so long as you do not control the pipe between your system and them, they will always be able to capture it.
  It is worth noting that this is not a first line of attack on this kind of system, but rather a last line. This presumes that *every other* relevant communication in the system is unquestionably unassailable. I don't need to tell you that given unlimited physical access to the hardware, of even a reasonable modicum of access to the software, that state of being will not endure.
62. Re:Doublethink by schon · 2008-09-28 07:21 · Score: 1
  
  I am simply pointing out that that is not a problem that cryptosystems are designed to solve.
  While that statement is correct, that is *NOT* what you are pointing out. In fact, it is the complete *opposite* of what you are pointing out.
  This statement is precisely what debatem1 said when he said
  
  There is no cryptographic solution to the problem in which the attacker and intended recipient are the same person
  , and which you directly attacked.
  
  DRM, exactly what it says (Digital Rights Management) is a complicated cryptographic problem that can be solved technologically with correct systems design.
  No, it can't. DRM by definition requires you to give the cryptographic keys to the end user. (Because the end-user must be allowed to view the content.) Every end-user is also a potential attacker (because if they weren't, then DRM is not needed.) If the attacker must have the keys, then cryptography cannot (again, by definition) be used to protect the content, and thus it is not a cryptograpic problem.
  Simply put: If the end-user is not also the attacker, then exactly which problem is DRM trying to solve?
63. Re:Doublethink by debatem1 · 2008-09-28 07:45 · Score: 1
  
  Thank you; you've stated the case quite a bit more clearly than I could have.
64. Re:Doublethink by logicmethod · 2008-09-28 12:22 · Score: 1
  
  I agree that the server should be set up to only serve up what the client is authorized to view, however, A) it's not necessarily Adobe's server software--you can serve FLV files from any server, and stream from alternatives like Red5, and B) it's not the server's configuration that allows the file to continue to stream; it's a flaw in Flash Player 9 and below that doesn't allow the developer to cancel HTTP requests. This will be fixed in Flash Player 10, but as of right now exists as a limitation.
65. Re:Doublethink by logicmethod · 2008-09-28 12:25 · Score: 1
  
  That's a lot of wasted bandwidth, even if the conversion rate is 5%, which I'm sure it's not even close to that. The benefit to the consumer is minimal and the cost to the provider is significant; it's a bad business decision.
66. Re:Doublethink by Atlantis-Rising · 2008-09-28 14:49 · Score: 1
  
  DRM does not require you to give the cryptographic keys to the user. DRM requires you to give the cryptographic keys to a system which will be conducting the decryption, which is not the user.
  This is a non-trivial difference.
  
  --
  "It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
67. Re:Doublethink by Atlantis-Rising · 2008-09-28 15:01 · Score: 1
  
  Certainly. However, I never claimed that current systems were unassailable; merely that it is possible to construct a system whereby there is a secure, end-to-end encryption of digital content.
  Of course, like any secure system, the actual chance of a system being compromised decreases much faster than the cost increases (similarly to the function f(x) = 1/x) and it is theoretically impossible to create a perfectly secure system, but setting aside those theoretical limitations (as relevant as they may eventually be), there is no inherent limitation that makes DRM particularly more problematic than any other cryptographic problem which exists within the same constraints, of which there are more than one would imagine (and of course, all these systems exist on what is essentially a continuum of cost/ease of attack). Some such systems, in various iterations, are vital to our modern-day existence, especially in the financial industry.
  For example, it is theoretically possible to create a trusted, tamper-proof architecture which will prove resistant (but not, of course, totally secure; shall we say in this case, 'secure' means 'within foreseeable events') and secure to attack even were it to fall into known-hostile hands. Such a device would obviously self-destruct or attempt to render its data unsalvagable if it were to be tampered with, among other features.
  There always exists the analog hole. I don't dispute that. But that's not the problem that DRM was designed to solve, and nor can it.
  There further exists the tautology that the more access to a system the attacker has, the easier it will be to attack that system. I don't debate that, either. Physical access is not necessary; but, like any kind of access, it does make the attack easier. There exists today standards and protocols for mitigating the effects of such attacks.
  
  --
  "It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
68. Re:Doublethink by debatem1 · 2008-09-28 15:15 · Score: 1
  
  There always exists the analog hole. I don't dispute that. But that's not the problem that DRM was designed to solve, and nor can it.
  Actually, it is .
69. Re:Doublethink by pacinpm · 2008-09-28 21:13 · Score: 1
  
  There is a solution. It's very old. It goes like this: I can show you this movie but I'll have to kill you after.
Ming boggles... by PineGreen · 2008-09-26 16:03 · Score: 5, Insightful

...at how fuckin dumb this all is. If you can see it, you can copy it, maybe it is more difficult, but not impossible. Do these idiots never ever learn?
1. Re:Ming boggles... by clarkkent09 · 2008-09-26 16:29 · Score: 2, Interesting
  
  Yes you can, but yes it's more difficult so not as many people do it and those who do will not do it as often. I guess that's the thinking, if you can't stop it altogether, making it even a bit harder is a step in the right direction from their point of view and it does make some sense
  
  --
  Negative moral value of force outweighs the positive value of good intentions.
2. Re:Ming boggles... by Vladus2000 · 2008-09-26 16:30 · Score: 3, Insightful
  
  The key isn't stopping everyone, its stopping your average stupid computer user from doing it. That is all they need to achieve. When even John McCain can figure out how to pirate something, then the copyright holders are really screwed.
3. Re:Ming boggles... by lazy_nihilist · 2008-09-26 16:38 · Score: 1
  
  Do these idiots never ever learn?
  Apparently not. I RTFA and was amused to hear the CEO of a DRM company say how the lack of DRM was threating all business models. Ironic, given I don't see how DRM can "protect" any online video content that can be viewed on a computer. More snake oil.
4. Re:Ming boggles... by Anonymous Coward · 2008-09-26 16:44 · Score: 3, Insightful
  
  The key isn't stopping everyone, its stopping your average stupid computer user from doing it.
  Average Stupid Computer User will not be doing it, anyways. He will go to something like The Pirate Bay and download it from there, after one Above Average Stupid Computer User did it and put it there.
5. Re:Ming boggles... by gardyloo · 2008-09-26 17:09 · Score: 4, Funny
  
  He's also Merciless!
6. Re:Ming boggles... by Libertarian001 · 2008-09-26 17:54 · Score: 1
  
  "Do these idiots never ever learn?" If history has taught us anything it is that we do not learn from history.
7. Re:Ming boggles... by Firehed · 2008-09-26 18:41 · Score: 2
  
  You expect that the CEO of a DRM company wouldn't suggest that his product is necessary for everyone? We know that not using DRM only threatens HIS company's business model, but DRM has been ineffective from the start, and has only served to inconvenience paying customers. Nobody doesn't know this by now - it really only exists to kill off second-hand sales and because of some misguided decisions from some ignorant CEOs.
  Snake oil or not, it'll probably be around for a while longer until it's made clear that only products without DRM succeed in the market. I'm doing my part. Are you?
  
  --
  How are sites slashdotted when nobody reads TFAs?
8. Re:Ming boggles... by johanatan · 2008-09-27 08:02 · Score: 1
  
  Well, if the Average Stupid Computer User won't be there, then maybe they're shooting for the Below Average Stupid Computer User?
9. Re:Ming boggles... by robzon · 2008-09-27 14:17 · Score: 1
  
  Do these posters never learn?
  Never.
10. Re:Ming boggles... by illegalcortex · 2008-09-28 03:27 · Score: 1
  
  Especially at Boggle!
11. Re:Ming boggles... by elrous0 · 2008-09-29 03:32 · Score: 1
  
  Not to worry. Flash...ahhhahhha...will save every one of us!
  
  --
  SJW: Someone who has run out of real oppression, and has to fake it.
in case you hadn't noticed by drDugan · 2008-09-26 16:06 · Score: 5, Insightful

sadly, axxo and fxg and their black market friends already figured out years ago how to get movies for free to most anyone willing to look for them. it brings the end of an industry in it's current form.
There are better models: allow people, if they choose, to take media without paying for it, but give them credit, additional access, and membership benefits when customers do sponsor/pay for the media they consume. It is really not that complicated... find something you can sell because you can no longer technically control the distribution of your product.
Major media producers cannot change the progression of technology with policy and lawsuits. They would be so much better off to adopt what tech can enable, and build effective business models around providing customers with real value when they do pay for media, instead of using fear and lawsuits to force them to pay when they don't have to.
1. Re:in case you hadn't noticed by Pichu0102 · 2008-09-26 18:11 · Score: 1
  
  Major media producers cannot change the progression of technology with policy and lawsuits.
  No, but they CAN get revenge by ruining people's lives through them. Which is probably what it's really about, seeing as how it doesn't seem to have any other effect.
2. Re:in case you hadn't noticed by maestroX · 2008-09-26 23:05 · Score: 1
  
  It is really not that complicated... find something you can sell because you can no longer technically control the distribution of your product.
  
  Well, I think the complication is business-minded people tend have a bad relationship with technical issues and try to negotiate on matters that are actually based on technical merits and involve binary choices.
  No need to try and convince in words, just put your money where your mouth is and refuse DRM, the productive argument is: out of business.
  My humble opinion, you're free to choose otherwise, I'm just not gonna pay for watching senior-housed Sly and Apollo beating each other senseless in yet another Rocky revival.
3. Re:in case you hadn't noticed by Anonymous Coward · 2008-09-27 03:13 · Score: 0
  
  sadly, axxo and fxg and their black market friends already figured out years ago how to get movies for free to most anyone willing to look for them. it brings the end of an industry in it's current form.
  FYI, aXXo just reencodes scene releases.
  (S)He could just be some person in their mother's basement.
  aXXo is not a release group.
Switcheroo by Jimmyisikura · 2008-09-26 16:09 · Score: 1, Insightful

Normally they overdo security, now they are lacking in basic security that protects legitimate content creators. The question is how long until they fix it.
1. Re:Switcheroo by fuzzyfuzzyfungus · 2008-09-26 16:15 · Score: 4, Insightful
  
  Typically, DRM related security bugs get fixed markedly faster than do security bugs that threaten the security of the computer the software is installed on. Just to remind you who the customer is, and who the consumer is, y'know.
DRM can't be a solution by D4C5CE · 2008-09-26 16:17 · Score: 3, Insightful

the article suggests DRM as a potential solution to the problem
Restrictions pitting a computer against its owner (and wasting time and energy to further a business model built on distrust) are always a problem, and the proof that some technologies can be inherently evil.
1. Re:DRM can't be a solution by Anonymous Coward · 2008-09-26 18:36 · Score: 0
  
  Hey, I got a better idea than using DRM to solve this problem. How about not sending the ENTIRE FUCKING MOVIE to the users who only want to see a 2-minute preview?
2. Re:DRM can't be a solution by Anonymous Coward · 2008-09-27 05:27 · Score: 0
  
  inherently evil is a incorrect assumption.
  the flexibility of the technology allows
  it to be twisted by twisted thinkers.
  jr
From the article by superphreak · 2008-09-26 16:18 · Score: 3, Insightful

The free demo version of Replay Media Catcher allows anyone to watch 75 percent of anything recorded and 100 percent of YouTube videos. For $39, a user can watch everything recorded.
One Web site -- www.tvadfree.com -- explains step-by-step how to use the video stream catching software.
[snip]
Forrester analyst James McQuivey said he doesn't believe the video stream catching technology will entirely derail the advertising-supported business model used by the networks for online video.
"It's too complicated for most users," said McQuivey, noting that file-sharing services like BitTorrent already exist but only a small percentage of people use them.

See? He (whoever he is...) thinks piracy won't be a problem... it's too complicated to pirate stuff... people would rather pay... something like that anyway. And he's an analyst, so that makes it official, right?

--
Evolution is a state-sponsored, state-protected religion.
1. Re:From the article by CaptainPatent · 2008-09-26 17:42 · Score: 1
  
  See? He (whoever he is...) thinks piracy won't be a problem... it's too complicated to pirate stuff... people would rather pay... something like that anyway. And he's an analyst, so that makes it official, right?
  Really?
  
  Lemme throttle down bittorrent so I can load that article.
  
  --
  Well, back to rejecting software patent applications.
2. Re:From the article by superphreak · 2008-09-26 17:53 · Score: 1
  
  Yes I was being quite sarcastic. Bittorrent isn't very difficult to figure out...
  
  --
  Evolution is a state-sponsored, state-protected religion.
3. Re:From the article by rts008 · 2008-09-26 19:54 · Score: 1
  
  Firefox + dwhelper extension has handled this for some time now...any 'media' on the site, audio, video-captures youtube flash vid's just fine!
  
  --
  Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
4. Re:From the article by Anonymous Coward · 2008-09-28 04:54 · Score: 0
  
  >Bittorrent isn't very difficult to figure out.. Yeah, especially when someone else has already written the software...
I just have to wonder.. by cyberjock1980 · 2008-09-26 16:20 · Score: 1

I just have to wonder what it's like to be in the shoes of the person that wrote the code that's flawed. Maybe i'm mistaken, but this seems like something that the coder did knowing that if anyone ever figured it out, it was game over for the DRM. Surely this person is now explaining why it is how it is to his supervisors, who are probably banging their heads against the wall thinking "OMG".
1. Re:I just have to wonder.. by WoollyMittens · 2008-09-26 18:40 · Score: 1
  
  It very likely is just the opposite way around. A middle-manager ordered the loophole to save time and effort against the protests and better knowledge of the developer who is going to get fired over this.
2. Re:I just have to wonder.. by mikael · 2008-09-26 21:49 · Score: 1
  
  I am sure a whole design team plus management would be involved in this. They would have had to get a specification written, have it approved by the legal department (to ensure no patents were being trampled on and that user's privacy wasn't being invaded) and by sales/marketing (to ensure that the software would run on the majority of computer systems) and then by accounting (to account for the salaries of the application developers).
  
  --
  Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
3. Re:I just have to wonder.. by Hynee · 2008-09-27 05:19 · Score: 1
  
  Yeah, they probably have rules about code reviews, and even middle management could have picked this hole (and thus be partly to blame). It's probably much easier on the server farm not to have authentication, although it wouldn't be that difficult to have separate 2 minute previews.
  
  --
  Damn, I already moderated this topic. Now I'll have to log in with my sock puppet to comment.
4. Re:I just have to wonder.. by joto · 2008-09-27 06:51 · Score: 1
  
  It's far more likely that the person who wrote the code, wrote exactly what the specification said. When he asked why they didn't go for something more secure, he was told not to worry about it. The supervisors were promoted, since the project finished in less than double the time estimate. And nobody is banging their head against the wall, since they all knew this would happen sooner or later.
  In any case, DRM without "trusted" computing, is security by obscurity, and even the top-level management have figured that out years ago.
Impressive(ly pathetic). by fuzzyfuzzyfungus · 2008-09-26 16:23 · Score: 3, Interesting

As we all love to repeat, DRM is folly, giving a man a locked box and the key, security through obscurity, mere obfuscation, inevitably cracked, etc. So, a story about yet another broken DRM system is hardly exciting.

What is amusing, in this case, is that we have a DRM system so broken that it includes a vulnerability of the kind that is theoretically fixable. Essentially, Amazon streams the first couple of minutes of whatever it is to you for free. To get more, you have to pay. However, thanks to this bug, Amazon doesn't actually stop streaming at two minutes, just sends a command to the player to stop playing. The video that you aren't supposed to see ends up, inadequately obfuscated, somewhere on your system.

That is the pathetic bit. It is ultimately impossible to control what another computer does; but it is merely a matter of good engineering to control what yours does. Server access control vs. DRM. Here, the system is so broken that Amazon's servers are essentially handing out video that they don't want copied to anybody who asks for it, at which time it is protected only by the usual doomed local DRM. Thanks to badly designed DRM, the system is less secure than that ever so early 90's "on payment, we email you a one time use link to a direct download" content protection scheme. Ha-ha.
1. Re:Impressive(ly pathetic). by johanatan · 2008-09-27 08:04 · Score: 1
  
  It's MS' favorite mode of operation--client side security.
  
  And, don't you mean Adobe instead of Amazon (or are both involved)?
2. Re:Impressive(ly pathetic). by fuzzyfuzzyfungus · 2008-09-27 08:35 · Score: 1
  
  Adobe is responsible for the design, Amazon is the one running Adobe's software. So the design bug is Adobe's but "Amazon" is the other half of the critically flawed interaction.
The internet enables free downloads. Seriously. by xigxag · 2008-09-26 16:47 · Score: 5, Funny

You know what else allows full movie downloads for free?
THE INTERNET.

--
There are two kinds of people: 1) those who start arrays with one and 1) those who start them with zero.
This is new? by Toonol · 2008-09-26 16:48 · Score: 4, Insightful

Doesn't everybody know that all flash video is easily accessible? Most of the time it's just a case of dragging it out of the cache. Sometimes you need to jump through more hoops, but I thought it was common knowledge that you could download it all.

You have to re-encode it if you want to, say, burn it on dvd, but that's not too hard. I use winFF (yes, I use windows).
1. Re:This is new? by mgblst · 2008-09-26 17:51 · Score: 1
  
  Common knowledge amoung whom? Slashdot crowd, yes. Competent IT people, yes. The majority of internet users, no.
2. Re:This is new? by totally+bogus+dude · 2008-09-26 19:29 · Score: 2, Insightful
  
  I think the news part is that Amazon sends you the entire movie when you play the 2 minute "preview". Most people would assume the preview would in fact be a two minute clip without the rest of the movie attached.
3. Re:This is new? by Gunstick · 2008-09-26 20:29 · Score: 1
  
  every idiot has a network traffic monitor, even if it's only the LED on the router. So if it still shows traffic a long time after the 2 minutes preview has finished you can conclude that there must be the rest of the movie coming down the line.
  
  --
  Atari rules... ermm... ruled.
4. Re:This is new? by squiggleslash · 2008-09-27 00:11 · Score: 1
  
  For sites like YouTube, it's fairly easy, there's a file in /tmp called Flashxxxxx (where xxxxx is a random sequence of letters and digits.) I've yet to find a way of downloading anything from Hulu.com though. I got the impression the Hulu player keeps everything in memory, which is why moving the cursor is a somewhat less smooth experience than it is with YouTube.
  
  --
  You are not alone. This is not normal. None of this is normal.
5. Re:This is new? by crmarvin42 · 2008-09-27 00:58 · Score: 1
  
  Could you tell me where that is on a mac? I knew it was probably possible, but didn't believe that anyone was actually that stupid, so I've never looked for it.
  
  --
  Bureaucracy expands to meet the needs of the expanding bureaucracy.-Oscar Wilde
6. Re:This is new? by stevied · 2008-09-27 08:53 · Score: 1
  
  On Linux, at least, it's often even easier: the flash video is usually sitting in /tmp with a reasonably obvious name, just asking to be hard linked somewhere else. Don't know if this holds true for RTMP streams, though, which I guess is what TFA is talking about.
7. Re:This is new? by VisceralLogic · 2008-09-27 13:38 · Score: 1
  
  No... most of the idiots just see a pretty blinking light. It doesn't actually mean anything to them.
  
  --
  Stop! Dremel time!
8. Re:This is new? by Anonymous Coward · 2008-09-28 00:30 · Score: 0
  
  If you use Safari it is easiest to download Flash videos etc. through the Activity window. IIRC you can open it with Shift-Command-A and just double-click the file you want to download.
  As to where browsers keep their cache on a Mac, I'm sure Google can help you with that.
9. Re:This is new? by Toonol · 2008-09-28 08:51 · Score: 1
  
  Here's the easy way: Clear your cache, watch a flash video, then do a search on your machine for all files modified today with a file size over, say, a few meg in size. You'll probably get a short list, and one of them should be the flash video in your cache directory. You may have to copy it out and rename it.
Ming boggles... by Anonymous Coward · 2008-09-26 16:49 · Score: 0

...at how fuckin dumb this all is. If you can copy it, they will try to stop you, maybe it is impossible, but they will still add DRM. Do these posters never learn?
From the article: by jrockway · 2008-09-26 16:54 · Score: 5, Insightful

The problem exposes online video content to the rampant piracy that plagued the music industry during the Napster era and is undermining efforts by retailers, movie studios and television networks to cash in on a huge Web audience.
Uh, the pirates were already uploading the full HD rips to Usenet days before the movies were even released. No pirate would want the shitty version Amazon is offering.

--
My other car is first.
1. Re:From the article: by Drinking+Bleach · 2008-09-26 17:22 · Score: 3, Insightful
  
  Exactly. This flaw, no matter whose fault, isn't going to make more pirated copies appear, or even more people to become pirates. Anyone that wants to pirate the films, isn't waiting for some security flaw in Amazon/Adobe software to allow them to do so.
Not really a flaw by Wesley+Felter · 2008-09-26 16:55 · Score: 5, Informative

There are two separate issues mentioned in the article.
1. HTTP and RTMP are not encrypted and thus it's trivial to record any video sent over these protocols. This is well-documented and I'd hardly consider it a flaw. Flash 9u3 has DRM (RTMPE+verification), but most Web sites don't bother to use it.
2. Apparently Amazon's movie store server will send the whole video whether the customer has purchased it or not. This is a bug, but it's Amazon's fault not Adobe's and Amazon should be able to fix it easily enough. Also, they're apparently not using all the DRM features available in Flash so their videos aren't as protected as they could be.
AFAIK Flash DRM hasn't been cracked yet because no one uses it. I'm not an advocate of DRM, but as a practical matter I find it works better when you actually turn it on.
1. Re:Not really a flaw by Jah-Wren+Ryel · 2008-09-26 17:19 · Score: 2, Insightful
  
  I'm not an advocate of DRM, but as a practical matter I find it works better when you actually turn it on.
  Unless the reason you are using it is to satisfy a checklist from hollywood.
  Kind of like the TSA at the airport - "DRM theater" to make the frightened hollywood execs feel safe and secure even though they are still just as vulnerable with or without DRM...
  
  --
  When information is power, privacy is freedom.
2. Re:Not really a flaw by Anpheus · 2008-09-26 17:29 · Score: 1
  
  Actually, DRM remains perfectly secure only when you leave it turned off, and ideally locked away and never put under the spotlight.
  Huh, that's funny, making DRM and general purpose PCs secure requires that you cut the network cable and bury them or lock them in a safe.
3. Re:Not really a flaw by Spy+der+Mann · 2008-09-26 18:10 · Score: 1
  
  Actually, DRM remains perfectly secure only when you leave it turned off, and ideally locked away and never put under the spotlight.
  Huh, that's funny, making DRM and general purpose PCs secure requires that you cut the network cable and bury them or lock them in a safe.
  Just to be sure, let's pulverize and ionize them so we can feed their hadrons into the CERN collider while we can watch them go to 99.99999% the speed of light before blasting and turning into strange matter, and maybe one or two Higgs bosons. Bonus points for unrecoverability if they're turned into a micro-blackhole.
4. Re:Not really a flaw by Wesley+Felter · 2008-09-26 18:21 · Score: 1
  
  Unless the reason you are using it is to satisfy a checklist from hollywood.
  Yeah, and after Hollywood reads a Reuters article about how your system is cracked, you'll probably have to release a new version to convince them that something is being done. And the charade rolls on.
5. Re:Not really a flaw by RichiH · 2008-09-26 20:55 · Score: 1
  
  Presumably, this checklist would involve turning the DRM on in production.
6. Re:Not really a flaw by Anpheus · 2008-09-27 06:53 · Score: 1
  
  I think you mean, just to be sure, we have to nuke it for orbit. It's the only way to be certain.
7. Re:Not really a flaw by bill_mcgonigle · 2008-09-28 09:10 · Score: 1
  
  it's trivial to record any video sent over these protocols
  and superfluous if you can figure out the uber-hacker technique of 'open the cache folder'.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Summary of "news" story... by evilviper · 2008-09-26 17:19 · Score: 5, Interesting

In summary:
Amazon.com is staffed by idiots... They thought it would be safe to stream the ENTIRE MOVIE, to anyone, FOR FREE. The ONLY protection being that they send a command to the Flash Player to "pause" playback after 2 minutes for those that haven't paid to watch the whole thing. Cheap software and instructions have sprung up all over the web, and everybody knows Amazon.com is going to get a boot up the ass by the media companies, and fix this "security" issue any second now.
DRM is utterly redundant. They just need someone with 3-digit IQ in the company to teach them how to make a 2 minute excerpt clip that is free and publicly accessible, while keeping the full video password-protected.
This is about on-par with an Apache "security announcement" that even if you don't make a link to a document on your HTTP server, it's still accessible! The horror!

--
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
1. Re:Summary of "news" story... by plasmacutter · 2008-09-26 17:32 · Score: 0, Offtopic
  
  2 minute excerpt clips from movies..
  Even the worst turkeys have 2 minutes of compelling footage.
  I could even find 2 minutes from something like the killer shrews
  
  --
  VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
2. Re:Summary of "news" story... by Anonymous Coward · 2008-09-26 17:52 · Score: 0
  
  define "still accessible" for this webserving nOOb? i see no qualifiers so i ask.
3. Re:Summary of "news" story... by Solra+Bizna · 2008-09-26 20:34 · Score: 1
  
  define "still accessible" for this webserving nOOb? i see no qualifiers so i ask.
  I'll bite.
  Until this post, nothing on the Internet or my webserver linked here. Now this post links to it, but even without this link someone could've typed that URL into a web browser and gotten to that important confidential document.
  However, even though I am linking here, you can't get to it. Rather than security through obscurity, that's real access control. (No such file exists; I have a mostly-empty /private directory that 403s almost everyone and 401s the rest.)
  -:sigma.SB
  
  --
  WARN
  THERE IS ANOTHER SYSTEM
flaw? by theheadlessrabbit · 2008-09-26 17:31 · Score: 4, Funny

"Adobe Flaw Allows Full Movie Downloads For Free"
its not a flaw, its a feature!

--
-I only code in BASIC.-
Obvious question by neokushan · 2008-09-26 17:53 · Score: 2, Funny

What's the easiest and fastest way to take complete advantage of this?
I want links!

--
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
1. Re:Obvious question by Anonymous Coward · 2008-09-26 20:12 · Score: 0
  
  1. Mentally select the film or show you wish to view.
  2. Go to thepiratebay.org
  3. ???
  4. profit
Do these idiots never learn? by symbolset · 2008-09-26 17:53 · Score: 3, Funny

Actually I do have a bulletproof method of DRM that customers will accept. There's no patent - it's currently a trade secret. I could show them how it works without revealing the secret, and they could license it from me.
I only want $40m cash up front, and 10% of the back end.
I'm calling it MP[34]. Of course with licensing comes naming rights. I think "Plays For Now" is not yet taken.

--
Help stamp out iliturcy.
Oops by symbolset · 2008-09-26 18:21 · Score: 1

That was MP[34]XOR-B3
Sorry about that. MP[34] is already taken.

--
Help stamp out iliturcy.
1. Re:Oops by symbolset · 2008-09-26 18:25 · Score: 1
  
  I also have alternate methods MP[34]XOR-AF and MP[34]XOR-00.
  This is valuable intellectual property here.
  
  --
  Help stamp out iliturcy.
This is what HDCP is for by Skapare · 2008-09-26 18:39 · Score: 1

Normally if you can play the video, you can capture it. So encryption/DRM is rather pointless. However, DRM can work (up to a point) if HDCP is used. The player has to be sure that the path from the internet to the display is full encrypted OR sealed. By doing the decryption in the video card, uncompressing it there, and re-encrypting it for HDCP over HDMI (audio, too ... so DVI won't work unless they want to give up the protection on the audio), you can be sure the video is safe all the way, as long as the content owner trusts the video card (it would have a player device key like a DVD player would, that can be revoked) and the video display device.
But there are still a couple analog holes. Internal electronics of the display could be tapped to get analog, which may have stair step levels that would allow determining original digital values. And then there is the camera on the screen method.
One big catch is, unlike the home TV market, few people have HDCP capable video cards and displays, and fewer still have it for HDMI that can support DRM audio through the video card. So deploying strong DRM for streaming video is not practical, yet.

--
now we need to go OSS in diesel cars
1. Re:This is what HDCP is for by Anonymous Coward · 2008-09-26 21:03 · Score: 0
  
  But HDCP is broken.
Cache by Skapare · 2008-09-26 18:44 · Score: 1

Amazon starts to stream the entire movie during the free preview -- even though it pauses the video on the Web browser after the first two minutes -- so that users can start watching the rest of the video right away once they pay.

However, even if a user doesn't pay, the stream still sends the movie to the video catching software, but not the browser.
So that's why my SQUID caches were getting so big :-)

--
now we need to go OSS in diesel cars
Encrytion 101... failed by most media bosses. by WoollyMittens · 2008-09-26 18:47 · Score: 1

In encryption, person A wants to send something to person B without person C being able to read it. In DRM, person A wants to send something to person C who own computer B. It doesn't take an engineering degree to figure out, there's something wrong with DRM.
It's like 0-day shipping by iabervon · 2008-09-26 19:11 · Score: 5, Funny

It's just like their instant delivery service, available for items that you've put on your wish list in advance. The way it works is that, when you put an item on your wish list, they ship it to you. Then, if you buy it, they give you the tracking number, you go to the shipper's site, and find that the item is on your porch, at which point you bring it inside and open it. If you don't buy it, eventually the shipper notices that it's been sitting on your porch for a while unclaimed and brings it back to Amazon.
1. Re:It's like 0-day shipping by Anonymous Coward · 2008-09-27 08:33 · Score: 0
  
  Hey, qucik! You should patent that!
Doesn't work anymore. (On Amazon) by Anonymous Coward · 2008-09-26 19:15 · Score: 0

I know you were gonna try it for research purposes... But apparently they fixed the hole. (At least at Amazon.)
In related news ... by dougmc · 2008-09-26 19:32 · Score: 4, Funny

In related news, researches have discovered that Gutenberg's printing press has similar flaws. By using modern technology such as photocopiers or cameras, or older technology such as monks and pens (or additional printing presses) criminals can create nearly identical copies of items printed with the press, depriving the original creators of the material of much needed compensation.
Gutenberg did not immediately return calls for comment, however it's theorized that he did not build in an encryption option to his printing press in order to boot comprehension speeds (Simple substitution ciphers were well established at the time of the creation of the printing press, and Gutenburg could have easily applied their techniques in the creation of his press, however it's not entire certain how effective it would have been at preventing piracy. (Somewhat (at most) effective DRM techniques were developed centuries later.))
Some companies seem to get it... by GradiusCVK · 2008-09-26 20:21 · Score: 1

On a related note, no doubt the maker of Replay Media Catcher, Applian, has seen a bump in both sales, and online warez activity. Their solution to combatting the latter?
http://www.applian.com/replay-media-catcher/crack.php
Umm, while researching the information in this article... *cough*... I discovered this. It shows up very highly on google.
In my opinion, this is a truly insightful move by Applian. It appeals to the vast majority of minor-league pirate types who really just don't want to pay for something (probably less appealing to the types of people who believe everything should be free)... people who are much less likely to value their privacy a highly as many of us here on Slashdot do. I say, bravo Applian.
1. Re:Some companies seem to get it... by RpiMatty · 2008-09-27 08:39 · Score: 1
  
  Is this flaw in the Amazon setup already fixed?
  http://www.applian.com/replay-media-catcher/support/faq.php
  Applian says replay media catcher can no longer record on-demand streams from amazon.com
Err by GradiusCVK · 2008-09-26 20:24 · Score: 1

I should say, it shows up very highly on google with specific searches... compare:
http://www.google.com/search?q=%22replay+media+catcher%22+crack
http://www.google.com/search?q=%22replay+media+catcher%22
Not that Adobe's method is perfect, but by MichaelPenne · 2008-09-26 20:31 · Score: 3, Informative

Any site that try to protect their content with stupid tricks
Actually, what they did was trade-off stream security for the user experience - if the stream does pre-load, then the viewer can start viewing the movie much faster after they pay.
Its a good trick if most of your users do pay, as they get the video they pay for much faster (since it's already pre-loaded) than would be possible if the paid content was sent in a separate stream that did not start until after the payment was processed.
Mainly, this is an artifact of delivering video via http/progressive download vs. rtsp - you have a few options:
1. deliver one stream - tradeoff - geeks can view for free
2. deliver two streams - tradeoff - slow, annoying start up while you wait for the second stream to load enough to start playing
3. use rtsp - tradeoff - reduces the quality of the video to match minimum bandwidth between the server and the viewer
For really secure video, you'd use either RTSP or DRM (or both8-0), but they both have other problems with quality and user experience.
I guess a system designed by a video geek would probably lean towards providing the best quality viewing experience while making it possible for a geek to get the video for free:-).
Re:The internet enables free downloads. Seriously. by martin-boundary · 2008-09-26 20:33 · Score: 1

Shh, don't tell the lawyers, or they'll try to ban the users.
defectivebydesign by wvmarle · 2008-09-26 23:07 · Score: 0, Redundant

'nuff said
Wasted bandwidth? by Anonymous Coward · 2008-09-26 23:58 · Score: 0

So nobody though of or cared about the waste of bandwidth resulting from streaming into a void? Even if the content was intentionally being given away free, it seems stupid to continue streaming when the client is no longer watching.
Encrypting doesn't waste bandwidth... by advocate_one · 2008-09-27 04:51 · Score: 1

only extra processor cycles at both ends... the content has exactly the same length of bytes, just got bits shifted in a weird and wonderful pattern according to the encryption algorithm and the keys

--
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
another DRM brilliant future by Monkey-some · 2008-09-27 10:26 · Score: 1

Sooooo
well I "am going to steal that video/movie/song" you didn't asked me if I would but just in case you enforce that much restrictions on it that I couldn't ever stea..watch it.
you know what...your content doesn't really interest me. Your music is at best funny to listen two or three times (but from that moment it would have been broadcasted on many radios), movies finally are broadcasted on TV (yeah you have to wait a little bit but sincerely most of the movies aren't worth your time) and videos well many tv stations features "night long video clips" so bah you finally figure out that you could still watch a few of them.
I think that I see where you are coming :
"stay tuned for "Spider Monkey 4" -the absolutests bestest film ever made-but you'ain't going to see it because it's secured against the thief-"
The real problem would be for a fan who willingly wants to buy every material made on his beloved artist (or commercial product) who would be obligated to consume this stuff now like most of the people out there don't give a rat ass of that the world is saved.
This is redundant by Master+of+Transhuman · 2008-09-27 11:41 · Score: 1

"This was designed stupidly,' said Bruce Schneier"
It's an Adobe product. Saying it was designed stupidly is redundant.

--
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Already Fixed? by bill_mcgonigle · 2008-09-28 09:17 · Score: 1

So that's why my SQUID caches were getting so big :-)
This must be already fixed. I just tried a South Park episode (I know, they're already available for free) and it stopped the download at 1.4MB of data.

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
VLC by dizzie1 · 2008-09-29 01:17 · Score: 1

Anybody know if exploiting this could be accomplished using VLC's stream capture tools? (I'm on a Mac) Not exactly sure if I could get the stream url in OSX from the flash player, but perhaps there is is a way in terminal? Excelsior!
Is this even Adobe's fault? The article is slim. by arete · 2008-09-29 03:28 · Score: 1

Overall, this is a really misleading article and summary.
Adobe makes technology platforms. I assume this is using some derivative of Flash Media Server. FMS supports streaming media, and it also supports different kinds of optional and configurable encryption. Nothing is perfect and that goes double for software, but for the most part, Adobe's platforms are quite good.
Despite what you might think from the headlines, no part of this seems like a platform flaw.
I can only ASSUME that Adobe Consulting actually implemented the specific application for Amazon, and they screwed it up. Which I have to say I find much less concerning than if this is a platform problem.
The flaw seems to really be that whole movies are sent when just the beginning is supposed to be. This MIGHT be an FMS flaw, but it might also just be bad application design. I can't tell from here.
Then it says that the streams aren't encrypted. This might or might not have anything to do with the original problem, and in this kind of article it might or might not be true, since the first problem explains the issues. I would say that the streams for the preview plays SHOULDN'T be encrypted, if I correctly understand that anyone is allowed to watch those clips anyway.

--
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot