Adobe Flaw Allows Full Movie Downloads For Free 166
webax writes with this excerpt from Reuters:
"[An Adobe security hole] exposes online video content to the rampant piracy that plagued the music industry during the Napster era and is undermining efforts by retailers, movie studios and television networks to cash in on a huge Web audience. 'It's a fundamental flaw in the Adobe design. This was designed stupidly,' said Bruce Schneier ... The flaw rests in Adobe's Flash video servers that are connected to the company's players installed in nearly all of the world's Web-connected computers. The software doesn't encrypt online content, but only orders sent to a video player such as start and stop play. To boost download speeds, Adobe dropped a stringent security feature that protects the connection between the Adobe software and its players."
webax also notes that the article suggests DRM as a potential solution to the problem.
Re:Doublethink (Score:5, Informative)
Schneier didn't write the article. He is only quoted briefly.
Not really a flaw (Score:5, Informative)
There are two separate issues mentioned in the article.
1. HTTP and RTMP are not encrypted and thus it's trivial to record any video sent over these protocols. This is well-documented and I'd hardly consider it a flaw. Flash 9u3 has DRM (RTMPE+verification), but most Web sites don't bother to use it.
2. Apparently Amazon's movie store server will send the whole video whether the customer has purchased it or not. This is a bug, but it's Amazon's fault not Adobe's and Amazon should be able to fix it easily enough. Also, they're apparently not using all the DRM features available in Flash so their videos aren't as protected as they could be.
AFAIK Flash DRM hasn't been cracked yet because no one uses it. I'm not an advocate of DRM, but as a practical matter I find it works better when you actually turn it on.
Not that Adobe's method is perfect, but (Score:4, Informative)
Any site that try to protect their content with stupid tricks
Actually, what they did was trade-off stream security for the user experience - if the stream does pre-load, then the viewer can start viewing the movie much faster after they pay.
Its a good trick if most of your users do pay, as they get the video they pay for much faster (since it's already pre-loaded) than would be possible if the paid content was sent in a separate stream that did not start until after the payment was processed.
Mainly, this is an artifact of delivering video via http/progressive download vs. rtsp - you have a few options:
1. deliver one stream - tradeoff - geeks can view for free
2. deliver two streams - tradeoff - slow, annoying start up while you wait for the second stream to load enough to start playing
3. use rtsp - tradeoff - reduces the quality of the video to match minimum bandwidth between the server and the viewer
For really secure video, you'd use either RTSP or DRM (or both8-0), but they both have other problems with quality and user experience.
I guess a system designed by a video geek would probably lean towards providing the best quality viewing experience while making it possible for a geek to get the video for free:-).