Slashdot Mirror
Hulu Munging HTML With JS To Protect Content
N!NJA writes "Hulu has started encoding the html that they send to people's browsers, and then decoding it using javascript before rendering it. [...] They then run the character stream through a series of javascript functions to convert it back into plain text before pushing it into your browser using DHTML. That's quite a lot of effort just for fun, so I assume that is to stop screen scrapers from parsing content." I really can't understand all this effort. Boxee displayed the Hulu advertising perfectly. I suspect Alec Baldwin is to blame.
they're aliens. that's how they roll.
It sounds like there's something ROT-13 in the state of Hawaii.
...ended at midday yesterday. Though I have to admit that this is far funnier than the "stories" that Slashdot ran at the time.
The XBMC guys already made a plugin after the last hulu change. It'll take a few hours and a new one will be made.
Especially if you SEND the user all the info they need, how hard is it to decode functions? There are crackers out there that take decoded assembly to figure out how to bypass DRM, what makes Hulu think their implementation will be any more difficult?
I mean, the alternative here is to use torrents. Why would Hulu (or their corporate overlords) want to make it difficult to use Hulu, when it's already just as easy to download the show and play it in whatever media center thingamajig I want with no ads?
Couldn't an enterprising screen-scraper also just run it through the same Javascript code? Hulu is forgetting what I like to call the Fundamental Law of DRM: if you make data possible for users to see /hear, it will be possible for a reasonably enterprising user to copy it.
I am officially gone from
TunerFreeMCE couldn't scrape the data. Mission accomplished. Oh, wait... Tada:
"Update- version 2.6.7 is now available to download to work round this new tactic."
And now, I supposed, there will be a DMCA attack as phase two.
There are a number of ISPs that modify HTML which passes through them, inserting their own ads etc. Maybe they are trying to prevent this? Seems quite an effective approach..
I'm all for boxee, but if they wanted aggregates to link to their content I would think hulu would have provided an API to allow it. Maybe instead of trying to work around every change hulu makes they should work with them instead.
My father gave me some HTML that was decoded with Javascript. To get the raw HTML was pretty simple IIRC..
1) Load page in Firefox
2) Open DOM explorer/inspector
3) Export as HTML
4) ???
5) PROFIT!!
The disappearing pencil trick. Let me show you it.
As long as Hulu continues to work with a Linux-based browser, I'm happy. This is unlike ABC, whose system doesn't support Linux at all.
Their loss (or perhaps I should say "They're Lost").
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
And to anyone complaining about having to dance through proxies to watch Hulu internationally, it's for the same reasons. What benefit does Charmin see from advertising toilet paper to people in the Netherlands?
All that aside, as someone who has a modded XBOX with XBMC and was living abroad,I can say with experience that all these shenanigans are tiring. Like any arms race where it's content producers vs. the internet, the internet will win in the end.
Maybe they are just doing this to sate the content providers. As long as they appear to be trying to solve the problem, they should get brownie points with the major companies. Considering how popular DRM seems to be with the execs, I'll bet they think this works just as "well".
My webcomic
Make the viewer fill it in every ~2 minutes to keep watching.
Entomologically speaking, the spider is not a bug, it's a feature.
The more complicated your technique of hiding data, the more interested a hacker becomes in breaking it.
It's already been cracked. When will people learn?
http://www.neowin.net/news/main/09/04/01/hulu-tried-to-encrypt-content-already-cracked
Hulu is owned by Fox/NBC, and they are trying to attract other content providers.
Simply put, the ad revenue on Hulu is much, much less than on TV. Sure, it beats piracy (a little money and control over how long your content is on there) but if people were to cancel cable or watch Hulu on their Xboxes more, both cable/satellite providers and the content providers themselves would be unhappy.
Just another game of cat & mouse: Hulu makes changes, and Boxee updates. The hope is that if you make the workarounds unreliable enough to the point where people are too irritated, most will switch back to TV, with a few using Hulu just online on their computers and a few turning back to piracy.
Why all the effort to apply DRM to free streaming content? Is it just because the networks think that everything needs to have DRM?
Huh, looks like my "greater than" sign was removed from the title. Thanks, Slashdot.
http://www.urbandictionary.com/define.php?term=munging ?
(not work safe)
Just send the encoded page to Mozilla Rhino using their own JS functions, and then scrap the decoded page... Seen that before... done that before.
It's a shame that this is one story that should've been an April Fool's Day joke.
This is just more proof that the people who run the big media companies not only do not understand technology, but cannot be bothered to learn it either. If they did, they would realize that DRM is ultimately a futile effort because the end user has to have everything they need in order to decode the content. That means that someone who wants to decode the content to display it in some other unapproved manner, also has everything they need to do it. I'll assume that the technical people/aliens at Hulu know this too and are only doing what the content providers are demanding.
To the making of books there is no end, so let's get started
God only knows what they're likely to do when they find out my TV has a vGA input on it, in that case. That's probably cirmventing DMCA protection right there.
"I Know You Are But What Am I?"
It's not just about the advertising. Their goal is to prop up the distinction between watching something on your TV and computer; if you're going to watch it on your TV, they want you watching from the TV networks it came from and not the theoretically inferior Internet. Unfortunately the distinction in the displays themselves continues to blur into nothing, so all they have left to maintain it is the interface, which they're doing their best to make as home theater remote driven unfriendly as possible.
These guys do understand that nothing prevents me from plugging my laptop into a TV and running a browser on it? And nothing prevents me from plugging a tuner card into my computer and showing TV on the monitor? So regardless of what they do, they can't make something show on a computer but not on a TV?
Wait a minute, my assistant is handing me an envelope he says will explain everything.
(envelope opening noises)
The note inside says "They're total idiots".
Yep, that does explain everything.
I used to wonder why you cannot mod a Slashdot editor's comment "Funny", but now I see that it would be an unused feature ;-)
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Hulu is a BRAND. It wants to live in its own world and be exclusive.
So their attitude is "Frak Boxie", as boxie is trying to DESTROY the brand of all the video sites to be replaced by the Boxee brand.
Why should Hulu play nice?
Test your net with Netalyzr
Now that they're actually applying some form of DRM to the system, maybe they think they can hit Boxee up with a DMCA-based injunction.
I know, I know, it's a weak argument technically, but it's not like that's ever stopped the lawyers before.
c.
Log in or piss off.
If you do decrypt it without authorization, they can claim you're in violation. It's not about the technical merits of their solution, it's about the legal aspect.
"Like any arms race where it's content producers vs. the internet, the internet will win in the end."
*puts content back in the vault*
You were saying?
Any developer worth his salt knows of the Firefox extension "Web developer" which comes with a "View generated source" button. So no matter how hard you try to hide your HTML, the browser still needs to see true HTML to render your page, which View generated source can do quite easily.
And for all the non-developer out there, if you use Firefox, you can make a selection of text (or better, CTRL-A), right click and choose view-source. It's the generated source you will see on selected text, not the original code provided by the server.
A
Won't this also prevent things like Phorm from modifying the ads? A screen scraper can just embed something like Gecko or WebKit and generate the DOM tree with the scripts, but something that needs to sit on a connection and do realtime packet modification like Phorm can't do that.
Since Hulu doesn't work outside the USA, I've never used it so I don't know if which is more likely, but if I had an ad-supported web site I wouldn't want carriers modifying my data in-flight, and this approach is a lot less computationally-expensive on the server side than using SSL without dedicated hardware.
I am TheRaven on Soylent News
anal sex wont do anything but make your dick stink
Troll? Srsly? This should be +5 informative!
you cant prevent people from ripping off the content of any page on the internet.... if the browser can display it then... then its possible to scrape it.
alot of people try and use this strategy... unfortunately for the browser to render it properly.. the javascript must be enbedded in the page that will allow to decode it =/
How does this effect screen scrapers intended to help those with disabilities? Just because you're blind doesn't mean you don't want to listen to content. If this is interfering, isn't there a federal law this is breaking?
And to anyone complaining about having to dance through proxies to watch Hulu internationally, it's for the same reasons. What benefit does Charmin see from advertising toilet paper to people in the Netherlands?
This is where the MBA and Marketing guys are falling down on the job. They should be selling regional ads for international viewers... instead of Charmin, they could sell Nokia ads for Dutch viewers, Weetabix in the UK, and Nutella in Italy, etc...
Come on, how hard is it to add a free, open Javascript engine to a screen scraper?
Sure, it won't be trivial, but it will probably be doable in fairly short notice for someone versed in the art.
Oh, wait, I just thought that it's unlikely that your bog standard screen scraper would parse a web page into a javascript accessible document model... *makes comment anonymous*
This is not actually the worst web DRM. I once found a site where the top of the code had a comment that said "Source code not available" followed by a bunch of blank lines. In order to get the source, one just had to scroll down some.
Which, of course, would make the scroll bar an anti-circumvention device.
DHTML modifies the DOM. It shouldn't be hard at all to just let the Hulu response build itself normally (maybe in an iframe or in another window) and then capture the DOM afterwards. A coworker of mine implemented a feature using this technique just yesterday (although it was for DHTML considerably simpler than Hulu's).
-- 77IM
Student: Is it true that the foundation of the universe is paradox?
Master: Well, yes and no.
Could someone explain what they're doing in a bit more of layman's terms? And then also, what the point of doing all of that is?
lesson learned!
There already is a distinction between TV and computer: Hulu is a lower resolution. I watch Hulu on my computer... which is hooked up to my 40" HDTV. It's just as easy to surf to the site from your couch with a nice wireless keyboard, but given the option, I'd rather see an episode on network TV, because it looks a lot better.
put it in fullscreen, fraps it, then take the gigantic file you just made and use video editing software to change the size to make it portable
no cracking/hacking/time wasting involved
Comment removed based on user account deletion
EUCD is the EU version, if DVD Jon would have been trialed in the EU it would have been interesting. Because I find it very hard to believe that anyone will ever get convicted for circumventing protection mechanisms, if it wasn't with malicious intent, or for monetary gain.
...and you'll never have to worry about *how* the content gets on the page. Make the browser do it just like you would by hand, and scrape the content after it's all rendered. Encrypted, generated by javascript, whatever.
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
A couple years ago I was on a project building a web site that used asynch calls to web services to get JSON strings and then render DHTML from the resulting objects. The requirement came down that we needed to "encrypt" the data being returned by the seb services. They understood that it would only be obfuscation because the code to "decrypt" the strings would be right there in the JS for anybody to see, but it's what they wanted.
Instead of trying to encrypt it, I chose to compress it. The resulting string was obfuscated so the client was able to check that off the list but more important was that the strings being returned were much smaller and performance was noticably increased even though the string had to be decompressed in JS before it could be used.
Like any arms race where it's content producers vs. the internet, the internet will win in the end.
Don't be so sure. The Internet exists as it is largely because there still are dumb pipes. The day that the dumb pipes are replaced with smart pipes is the day the internet will have become TV.
Those who can, do. Those who can't, sue.
Yes, but if everyone switches away from TV, advertisers will recognize this and start competing for the Hulu ad space...thus driving the price up
Bottles.
typing ">" without quotes will translate to >
You must wait a little bit before using this resource; please try again later.
There is a lot of talk in this thread about "who do they think they're fooling" and many more people saying "people will just crack the code"
You're right, there will be people out there who crack it. But if you look at it from a statistics standpoint there will be far more people who give up or don't want to take the time to crack it or find the pre-made crack. And vastly more people still who won't try because they've heard about the security and there are easier ways for them to get their content.
It's a numbers game. Especially with you're that "guy with the MBA" that was mentioned above. I think it has nothing to do with him not knowing what he's messing with. He doesn't need to know ... and neither do the advertising investors that are paying him gobs of money. They only need to know the statistics he gives them that says the content is "protected"
NOTHING is ever totally secure ... that's common knowledge. But how your security stacks up against your competitors can make the difference between a winning business model and just another also-ran.
Sure, it beats piracy (a little money and control over how long your content is on there) but if people were to cancel cable or watch Hulu on their Xboxes more, both cable/satellite providers and the content providers themselves would be unhappy.
I already watch Hulu on my xbox 360 and I don't have cable. I run MediaMall's Playon server in a Virtualbox Windows XP image on my Linux machine and it works fine. I can watch cbs.com, Netflix instant viewing content, Youtube videos and a lot of other content with this setup. Oh, and I also stream all my Mythtv recordings (ATSC local broadcast only) to the xbox via Fuppes. It's great. I've always had a deep hatred of cable companies, and it is really satisfying to cut them out and get all this content legally and essentially free (well, Playon is $39, but it is a one time fee). Goodbye to these customer unfriendly companies that are just middle men that add no value.
Didn't RMS warn about something similar to this last week and everyone just laughed at him?
Simply put, the ad revenue on Hulu is much, much less than on TV. Sure, it beats piracy (a little money and control over how long your content is on there) but if people were to cancel cable or watch Hulu on their Xboxes more, both cable/satellite providers and the content providers themselves would be unhappy.
Very true.
However, this would seem to be the very definition of how the free market is supposed to work. Customers want Internet based television; prefer it over cable/satellite.
Consumers steadily begin to use the net more. Hulu can then begin to charge more for ads while broadcast TV stations lower their rates.
I would think advertisers would prefer Hulu simply because their ads can not be skipped over and users can't just change the channel during the break. That suggests they can charge more for the ads in such a business model since the ads are more effective. End result, less ad volume (compared to broadcast TV) and happier viewers or the same ad volume with more profits.
It seems the cable and satellite TV providers are the ones that lose here but why should NBC/FOX care about them? The cable providers are already in a favorable position as the access point for new media distribution. If TV as a service goes the way of the dodo then they are free to charge more for Internet access provided they ditch the stupid caps.
As long as content providers keep trying to fight customer demand they will continue to miss out on the revenue opportunities that exist. As for copyright infringement, that'll always be around but they can minimize the impact it has by not driving consumers towards it out of an unwillingness to change.
Nokia is for the Nordic countries.
Danes are the ones who spread disgusting chocolates and nougats on their breakfast toast.
Next!
I did something like this in 1996 with my Geocities page.
Oh for crying out loud, they just *DON'T* get it, do they? People want their content from the internet, Hulu provides it, and now their trying to muck around with the delivery of the content so it can only be through channels that they have complete control over?!?! W...T...F!!! It is becoming clear that they are truly going to die. Their business model and greed is going to cause them to collapse just like the financial markets. They are becoming too arrogant (not that they haven't been since the founding of the studios in LA) and power hungry in an age where someone with less than $250,000 can produce a high-quality episodic show that is successful.
Hollywood:
Wake up before you are supplanted!
Better yet, stay stupid so I have time to get my ideas off the ground and SUPPLANT YOU!
The clock is ticking boys...
On top of that this method of distribution allows targeted advertising and instant ratings feedback.
My only political goal is to see to it that no political party achieves its goals.
This is probably to stop Lynx browsers from properly displaying content. I'm betting this move was backed by bribe money. Clearly this is aimed at reducing compatibility with Lynx. MS is just trying to steal away market share.
Nail on the head here. I used to watch Hulu on Boxee through my Apple TV, until Hulu killed it. So when I had guests over earlier in the week and we wanted to watch a show on hulu, I simply plugging the DVI out from my laptop into a DVI->HDMI changer, right into my TV. A few seconds later, I had Hulu playing in full-screen on my TV in the living room.
So what did they accomplish except annoying me? Absolutely nothing. They also seem to have forgotten that the lines between computer monitors & TVs are becoming blurred all the time. I have friends using 42" displays as their monitors, with a PC right in the living room. Hulu (and by extension, Fox, NBC, etc.) just don't seem to get it here. If they're making their content available for free online, people will find ways to watch it when & how they want. Constantly trying to work around that will only serve to piss off your user base.
Yeah, but wiping my arse with a nokia doesn't work too well, the wheetabix isnt' too absorbent, and don't get me started on what happened with the nutella!
... and Nutella in Italy
But I love Nutella too
I've been using the PlayOn dlna server for months now and Hulu works fine through it (along with Netflix, Amazon VOD, CBS, ESPN, CNN, Revision3 and soon ABC). What are they doing right that Boxee is doing wrong?
Bill Clinton: Pimp we can believe in. - The Shirt!!!
It's not reverse engineering if you let it work as intended. Or at least it can be argued. Using an OnLoad handler basically lets the browser do exactly what it's supposed to do, bypassing nothing and changing nothing. The mechanism is still running and doing what it is expected to do. It is not disabled or altered in any way. No different from trapping unencrypted content directly from the wire.
Packaging this up and distributing it for the purpose of bypassing copy protection would get you in trouble certainly, but allowing DRM to do exactly what it's supposed to do is a very vague and to my knowledge untested area of law.
I think of it this way. If Macrovision were intended to stop copying, but was implemented in a way that did not actually prevent copying, you would not be guilty of bypassing or disabling DRM. Just pop a DVD or VHS in and copy it, you've bypassed the protection but didn't have to do anything to do it. Much like the "analog hole" problem - one could argue that plugging in an audio cable is "bypassing DRM", but the system is operating as expected, and as the DRM implementers should be well aware. Bypassing the secure audio path in Windows involves effort and would be a clear violation, but the system is designed to provide audio out. It is not clear whether this is an intended function or a poor implementation. Likewise the issue of bypassing CD DRM by coloring the edge with a markeror holding down SHIFT when inserting the CD - this involved some effort to bypass, but no charges were filed because it's such a simple, elementary method and exposed the DRM implementation as so fundamentally broken that it did not deserve protection against such an attack.
So you let the browser download what the server sends, let it run the scripts and update the document, and then access the data which is (by design) exposed by the browser.
I ANAL and all that, and even if I were you shouldn't take internet omments as legal advice or you get what you deserve.
I can see it now, the Hulu pauses for a two minute commercial break. In order to resume playback, you have to answer a CAPTCHA concerning the content in the paid advertisement.
If you forget how many MPG they advertised for their new Mazda, you have to replay the commercial and pay attention until you get the answer right.
Of course the commercials, CAPTCHA questions and their answers will always be determined by the highest paying bidder.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
The goose is far from laying golden eggs. You would be closer to the truth to say "stop throwing money away on entertaining me, because if you don't do it the way I want, I'll just pirate it anyway."
All of this cat and mouse is ultimately futile, and has just given Boxee more attention than it would likely have gotten for at least several more years (if ever). And since Boxee keeps fixing their Hulu integration... It's just pushing more people to check it out and start using it.
I had heard of Boxee, and actually started using it a few weeks before this whole mess, but I have a number of friends who had never heard of it until all of this nonsense started, and now they (and I) are considering dropping cable in favor of setting up some sort of HTPC running Boxee or XBMC or something similar (and if Hulu doesn't want to join that party... well too bad, I'll probably watch it less, and just watch it in a browser on the same damn TV when I do want to).
hulu doesn't have much content worth protecting anyway. the shows and movies they do have are so old you can probably get a copy for free at your local library. and do a search for something such as "national geographic channel", the 'shows' that pop up are just promos and excerpts.
most of what they have should have expired into the public domain by now, that is if our copyright laws actually worked the way they're supposed to.
they should put at least half as much effort into getting new and interesting content as they do trying to "protect" the crumbs they have now.
Ironically Hulu's commercials could be more expensive if they were targeted.
Like any arms race where it's content producers vs. the internet, the internet will win in the end.
Which is too bad. All these idiots who think that they are somehow entitled to something for nothing will end up driving the content providers out of business. Than what will the internet have won?
You kids just dont't get it. Both Hulu and Boxee are trying to create social communities and there is cross advertising - most notible as film trailers - on the site.
Why should Hulu pay for all the content for Boxee to use it for free?
Which is too bad. All these idiots who think that they are somehow entitled to something for nothing will end up driving the content providers out of business. Than what will the internet have won?
It's a tad bit more complicated here. In this case, the Hulu users would still be getting something in exchange for watching ads. It's not nothing, though the ad revenue through Hulu would be a lot less than ad revenue on a regular channel. I would not be surprised if it was a 10:1 or 20:1 ratio as to revenue per viewer on broadcast vs. Hulu. That's a very steep cliff to jump, not anything like a smooth transition from "old" media to "new" media.
While the difference between TV and video on the internet is beginning to blur, it's still pretty well defined from the user's perspective, how you interact with it is different on a computer, and I think Hulu on XBMC and AppleTV is still a niche audience at best for the moment. Even if the content providers are getting money through Hulu, they can't afford to lose audience members from the channel to Hulu any faster than they have to.
I just hope the imaginary property Nazis don't eventually require Hulu to use DRM-fettered technology to limit content availability to one platform.
Boycott Hulu!
Then why are they advertising Hulu ON TV?
(reads note again)
Oh, right.
Have they never heard of DOM browsers? Or Greasemonkey? Both do not care for the source files, and directly use the document parse tree. Idiots. ^^
Any sufficiently advanced intelligence is indistinguishable from stupidity.
I don't think that they've forgotten it, it's just in their best interests to maintain the appearance of a distinction for as long as possible, because that distinction is part of the leaky dam separating traditional media from podcasters.
It's somewhat poetic: we look at a newspaper and see what's happening in the present. Content providers look what's happening to newspapers and they see their future.