Hulu Munging HTML With JS To Protect Content

N!NJA writes "Hulu has started encoding the html that they send to people's browsers, and then decoding it using javascript before rendering it. [...] They then run the character stream through a series of javascript functions to convert it back into plain text before pushing it into your browser using DHTML. That's quite a lot of effort just for fun, so I assume that is to stop screen scrapers from parsing content." I really can't understand all this effort. Boxee displayed the Hulu advertising perfectly. I suspect Alec Baldwin is to blame.

what do you expect?

[antibryce]

they're aliens. that's how they roll.

Re:what do you expect?

[punkmanandy]

They are doing this to confuse, to better mush our brains.

With apologies to Shakespeare...

[Bieeanda]

It sounds like there's something ROT-13 in the state of Hawaii.

April Fools Day...

...ended at midday yesterday. Though I have to admit that this is far funnier than the "stories" that Slashdot ran at the time.

Cat & Mouse.

[0100010001010011]

The XBMC guys already made a plugin after the last hulu change. It'll take a few hours and a new one will be made.

Especially if you SEND the user all the info they need, how hard is it to decode functions? There are crackers out there that take decoded assembly to figure out how to bypass DRM, what makes Hulu think their implementation will be any more difficult?

Re:Cat & Mouse.

[C0vardeAn0nim0]

a marketing major or MBA course. that's what makes them think it'll be more dificult.

Re:Cat & Mouse.

[schmidt349]

Shut up! That's why.

Re:Cat & Mouse.

[v1]

It's probably more targeting people like me. I've already considered writing an app to scrape the pages, and download ALL their movies to a large hard drive or two.

I'm sure it's on a lot of other people's minds too with similar skills.

I do that from time to time for web archives of images too. Curse that 1000 hit limit on images.google.com!

Re:Cat & Mouse.

[jnetsurfer]

Even still, if they're using javascript to decode the HTML, they're not really protecting themselves. Your app can just run their javascript and still work perfectly.

Re:Cat & Mouse.

[koterica]

This is modded as funny, but it is rather insightful. The people who make business decisions (or what they think are business decisions) don't necessarily understand the things they are messing with. In this case, they obfuscate because they are worried about people pirating content.

Honestly? Hulu is a great service (if you live in the US) but its not a high priority target for piracy. Why go to the effort of ripping a stream with ads in it when the torrent is already out?

Re:Cat & Mouse.

[fprintf]

No, trust me, the freakin' programmers and IT people make it impossible. All us MBAs want to do is output a freakin graph, and you put us through all kinds of process steps, and gates and usability testing, and then decide it will cost $1Million just to make a simple change. No wonder nothing gets done without a multi million dollar budget.

Re:Cat & Mouse.

[tweek]

It has nothing to do with piracy. It has to do with revenue from cable company contracts. The problem the "content providers" had was that via Boxee and other set-top pcs, people could forgo cable all-together and that would be a huge chunk of lost revenue. Hulu is popular but the ad revenue from Hulu is nothing compared to the money the cable companies pay "content providers".

* I quote "content providers" because Hulu liked to use that phrase when Boxee was shut out. The fact of the matter is that Hulu is co-owned by two of these "content providers" so in essence, Hulu *IS* the "content provider"

Re:Cat & Mouse.

[Zebedeu]

Do you really believe that all of this content is going to get less available over time? Note that this would essentially contradict all of history.

Yeah, don't bother making copies of those documents at the Great Library of Alexandria.

Re:Cat & Mouse.

[MoonBuggy]

The fact of the matter is that Hulu is co-owned by two of these "content providers" so in essence, Hulu *IS* the "content provider"

I'd be interested to know where the division lies, actually. Their blog posts when Boxee was cut off had a distinctly irritable tone - they were very much making their point that the content providers don't understand the new marketplace they're operating in; basically, they were saying of the content providers the exact same thing most of the posts on this story are saying of them.

To me, that means they're autonomous to a reasonable degree but the studios have the final say. I would guess that the Hulu team themselves made all the relevant points about how this obfuscation won't work, and were overruled - just because their company is owned by the studios, doesn't mean the employees working there share the same ideas.

Re:Cat & Mouse.

[thesolo]

No, trust me, the freakin' programmers and IT people make it impossible.

Riiiiiight.

Sorry, but you're wrong. Honestly, we just want to get the code written and have you leave us alone. But we can't do that.

Instead, we have to follow the rules implemented by management, usually non-IT management. So while the code change itself might be all of 10 minutes, we have to follow Six Sigma, or have all changes go through 3 weeks of requirements gathering, or have to follow some horrible process workflow like the Waterfall model because they read about it in CEO Magazine.

It's management who make your life more difficult. And oddly enough, almost all of them have MBAs...

Re:Cat & Mouse.

[Bigjeff5]

A month, a friggin month to unplug from a 100mb switch port and plug into a 1gb switch port.

5 minute change if you include the exhaustive checks, and double checks, and tripple checks to make sure there is not a problem.

Change Management at its finest!

Re:Cat & Mouse.

[hondo77]

What about if your internet goes out and there's jack-crap on TV?

Read a book?

Dumb question here

[dkleinsc]

Couldn't an enterprising screen-scraper also just run it through the same Javascript code? Hulu is forgetting what I like to call the Fundamental Law of DRM: if you make data possible for users to see /hear, it will be possible for a reasonably enterprising user to copy it.

Re:Dumb question here

[ynef]

Yes, in fact, HtmlUnit is my preferred browser simulation library in Java for this very reason: it allows you to write very easy to understand Java code, and it uses Rhino as a JavaScript interpreter. Completely brilliant, and yet few people know about it.

Re:Dumb question here

[Applekid]

Couldn't an enterprising screen-scraper also just run it through the same Javascript code? Hulu is forgetting what I like to call the Fundamental Law of DRM: if you make data possible for users to see /hear, it will be possible for a reasonably enterprising user to copy it.

Sure. Except, crappy as the Javascript "encryption" is, now you're in violation of the DMCA by reverse engineering a copy protection mechanism.

Re:Dumb question here

[causality]

Couldn't an enterprising screen-scraper also just run it through the same Javascript code? Hulu is forgetting what I like to call the Fundamental Law of DRM: if you make data possible for users to see /hear, it will be possible for a reasonably enterprising user to copy it.

I think you left some of that Fundamental Law unstated. This is an approximation of the full version:

If you make data possible for users to see/hear, it will be possible for a reasonably enterprising user to copy it. Only one such user is needed to make a DRM-free (and ad-free) version available via BitTorrent. Meanwhile, you stand to annoy all of your legitimate/paying/ad-watching users, especially if they understand this Fundamental Law and/or your assumption of bad faith.

Re:Dumb question here

[nobodylocalhost]

only if the decoder is american though.

Re:Dumb question here

[jnetsurfer]

But you're not reverse engineering. They're sending you their code, you're just running it!

Phase One is Over

[wonkavader]

TunerFreeMCE couldn't scrape the data. Mission accomplished. Oh, wait... Tada:

"Update- version 2.6.7 is now available to download to work round this new tactic."

And now, I supposed, there will be a DMCA attack as phase two.

Re:Phase One is Over

[derGoldstein]

I sure hope not.

If it is, then what's the difference between obfuscated code and horribly written code thats difficult to understand? Or code thats been run through a minifier to make it smaller?

So you mean all Perl!??

Re:Don't they want people to use Hulu?

[NeoSkandranon]

They *want* you to go back to watching regular TV, where the ad revenue is greatest.

As Long As It Works With Linux

[Prototerm]

As long as Hulu continues to work with a Linux-based browser, I'm happy. This is unlike ABC, whose system doesn't support Linux at all.

Their loss (or perhaps I should say "They're Lost").

Re:Can you blame them?

[FauxPasIII]

> if they wanted aggregates to link to their content I would think hulu would have provided an API to allow it.

They did. It's called the hypertext transfer protocol.

Plan B: CAPTCHA

[derGoldstein]

Make the viewer fill it in every ~2 minutes to keep watching.

Re:Don't they want people to use Hulu?

[causality]

They *want* you to go back to watching regular TV, where the ad revenue is greatest.

As you probably know, that cat's not going back into the bag. I wonder whether the inability to admit this and work with it is a special trait of media companies or if it's just true of large organizations in general?

Re:Content Providers' Demands?

[maxume]

Hulu is a joint venture of NBC Universal and Fox Entertainment Group. The Hulu management might not precisely be content providers, but the folks holding the purse are.

Re:I can't understand...Boxee displayed ads perfec

[russotto]

These guys do understand that nothing prevents me from plugging my laptop into a TV and running a browser on it? And nothing prevents me from plugging a tuner card into my computer and showing TV on the monitor? So regardless of what they do, they can't make something show on a computer but not on a TV?

Wait a minute, my assistant is handing me an envelope he says will explain everything.

(envelope opening noises)

The note inside says "They're total idiots".

Yep, that does explain everything.

Re:Huh?

[AKAImBatman]

The particular situation here deals with compressed/encoded HTML in an effort to prevent screen-scraping. This leaves two options for screen scrapers:

Option 1
1) Figure out how the decoder works
2) Replicate the decoder functionality in the screen scraper
3) Parse the decoded HTML
4) Make changes as the encoding scheme changes
5) ???
6) Profit!

Option 2
1) Link a Javascript engine like SpiderMonkey, Rhino, V8, or SquirrelFish into the screen scraper
2) Run the Javascript to decode the HTML
3) Parse the decoded HTML
4) ???
5) Profit!

Brand dilution guys....

[nweaver]

Hulu is a BRAND. It wants to live in its own world and be exclusive.

So their attitude is "Frak Boxie", as boxie is trying to DESTROY the brand of all the video sites to be replaced by the Boxee brand.

Why should Hulu play nice?

Re:Brand dilution guys....

[MightyYar]

They are being knuckleheads. Their "website" is analogous to a traditional TV channel and Boxee is analogous to a set-top cable box. You'd still get the Hulu ads, still get the Hulu branding.

To be fair, it seems like Hulu would very much like to be on Boxee - the distaste of the content providers' policies is palpable on their blog.

Re:Can you blame them?

Absolutely.

It's been cute these last 10 years watching companies try to put things on the Internet and monopolize the information they put up. If you don't require user authentication, it's public.

If you want to piggy back in a web browser, with a public protocol like HTTP, expect people to interact with your server in unintended ways.

The only way to prevent this is to invent your own propietary protocol, and your own client. And even this doesn't prevent reverse-engineering of the protocol to gain access.

It's all about the DMCA

If you do decrypt it without authorization, they can claim you're in violation. It's not about the technical merits of their solution, it's about the legal aspect.

Re:I can't understand...Boxee displayed ads perfec

[MrMarket]

And to anyone complaining about having to dance through proxies to watch Hulu internationally, it's for the same reasons. What benefit does Charmin see from advertising toilet paper to people in the Netherlands?

This is where the MBA and Marketing guys are falling down on the job. They should be selling regional ads for international viewers... instead of Charmin, they could sell Nokia ads for Dutch viewers, Weetabix in the UK, and Nutella in Italy, etc...

Fail

[Chlorine+Trifluoride]

This is not actually the worst web DRM. I once found a site where the top of the code had a comment that said "Source code not available" followed by a bunch of blank lines. In order to get the source, one just had to scroll down some.

Which, of course, would make the scroll bar an anti-circumvention device.

Obviously discrinatory against Lynx

[Digital_Quartz]

This is probably to stop Lynx browsers from properly displaying content. I'm betting this move was backed by bribe money. Clearly this is aimed at reducing compatibility with Lynx. MS is just trying to steal away market share.