Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Flaw Allows Full Movie Downloads For Free

Posted by Soulskill on from the it's-not-a-bug-it's-a-feature dept.

webax writes with this excerpt from Reuters: "[An Adobe security hole] exposes online video content to the rampant piracy that plagued the music industry during the Napster era and is undermining efforts by retailers, movie studios and television networks to cash in on a huge Web audience. 'It's a fundamental flaw in the Adobe design. This was designed stupidly,' said Bruce Schneier ... The flaw rests in Adobe's Flash video servers that are connected to the company's players installed in nearly all of the world's Web-connected computers. The software doesn't encrypt online content, but only orders sent to a video player such as start and stop play. To boost download speeds, Adobe dropped a stringent security feature that protects the connection between the Adobe software and its players." webax also notes that the article suggests DRM as a potential solution to the problem.

5 of 166 comments (clear)

  1. Impressive(ly pathetic). by fuzzyfuzzyfungus · · Score: 3, Interesting

    As we all love to repeat, DRM is folly, giving a man a locked box and the key, security through obscurity, mere obfuscation, inevitably cracked, etc. So, a story about yet another broken DRM system is hardly exciting.

    What is amusing, in this case, is that we have a DRM system so broken that it includes a vulnerability of the kind that is theoretically fixable. Essentially, Amazon streams the first couple of minutes of whatever it is to you for free. To get more, you have to pay. However, thanks to this bug, Amazon doesn't actually stop streaming at two minutes, just sends a command to the player to stop playing. The video that you aren't supposed to see ends up, inadequately obfuscated, somewhere on your system.

    That is the pathetic bit. It is ultimately impossible to control what another computer does; but it is merely a matter of good engineering to control what yours does. Server access control vs. DRM. Here, the system is so broken that Amazon's servers are essentially handing out video that they don't want copied to anybody who asks for it, at which time it is protected only by the usual doomed local DRM. Thanks to badly designed DRM, the system is less secure than that ever so early 90's "on payment, we email you a one time use link to a direct download" content protection scheme. Ha-ha.

  2. Re:Ming boggles... by clarkkent09 · · Score: 2, Interesting

    Yes you can, but yes it's more difficult so not as many people do it and those who do will not do it as often. I guess that's the thinking, if you can't stop it altogether, making it even a bit harder is a step in the right direction from their point of view and it does make some sense

    --
    Negative moral value of force outweighs the positive value of good intentions.
  3. Re:Doublethink by David+Jao · · Score: 4, Interesting

    The dumb part here is that they send the whole movie to your computer even if you're just watching the free two-minute preview. The two-minute restriction is only enforced in the flash applet. Now, no amount of DRM can stop a paying customer from copying the movie, but a smartly designed system could certainly make the customer pay for the movie before giving the whole movie to them.

  4. Summary of "news" story... by evilviper · · Score: 5, Interesting

    In summary:

    Amazon.com is staffed by idiots... They thought it would be safe to stream the ENTIRE MOVIE, to anyone, FOR FREE. The ONLY protection being that they send a command to the Flash Player to "pause" playback after 2 minutes for those that haven't paid to watch the whole thing. Cheap software and instructions have sprung up all over the web, and everybody knows Amazon.com is going to get a boot up the ass by the media companies, and fix this "security" issue any second now.

    DRM is utterly redundant. They just need someone with 3-digit IQ in the company to teach them how to make a 2 minute excerpt clip that is free and publicly accessible, while keeping the full video password-protected.

    This is about on-par with an Apache "security announcement" that even if you don't make a link to a document on your HTTP server, it's still accessible! The horror!

    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  5. Re:Doublethink by Antique+Geekmeister · · Score: 2, Interesting

    Lots of folks here need to review the Palladium toolkit, renamed 'Trusted Computing'. It's designed to lock files to applications to hardware, in a triad specifically set up to control what users can do with their files and make them unavailable except for owner authorized software with centralized key management. This sort of thing is _precisely_ what it was designed for: the security enhancements it provides are potentially useful, but DRM is clearly its fundamental purpose.