[Gnash-dev] Ars Technica: Amazon VoD video is copyable

[John Gilmore]

http://arstechnica.com/news.ars/post/20080929-adobe-amazon-point-fingers-over-video-ripping-exploit.html

Adobe, Amazon point fingers over video ripping exploit
By Joel Hruska | Published: September 29, 2008 - 07:10PM CT

The proliferation of online content distribution systems has meant big  
business for Adobe; the company's Flash technology powers the likes of  
YouTube, Amazon's Video on Demand, and Hulu. Protecting the data  
streaming off these last two sites is a major concern of Big Content;  
Adobe's market share is partially built on a perception that it can  
offer the necessary levels of protection. That perception took a major  
blow over the weekend, after an investigation proved that it was  
possible to record video streaming off Amazon's Video on Demand  
service, despite the company's claims to the contrary.

Reuters conducted the analysis, in which it demonstrated how at least  
one media capture program—Replay Media Catcher—could be used to record  
programs from Amazon. Ironically (or perhaps appropriately, depending  
on your point of view), there's no need to actually purchase the  
Amazon content one intends to record, thanks to an exploitable feature  
the site includes to speed video playback. Replay Media Catcher isn't  
free, but the demo version will play back 75 percent of a recording,  
more than enough to verify proof of concept.

One of the features of Amazon's Video on Demand Service is that it  
allows a customer to preview the first two minutes of a show. It's a  
nice option for anyone skimming through a series or searching for a  
specific episode, but it opens the door to the aforementioned exploit.  
Amazon doesn't know if a viewer will actually buy the entire episode  
or movie, but the company errs on the side of optimism and begins  
streaming the full version to your hard drive anyway. Customers that  
opt to purchase their current viewing selection can therefore continue  
watching with no interruption, while those who don't will never know  
the difference—the data isn't streamed to the browser, just the hard  
drive.

It also means there's a full episode's worth of content sitting on the  
hard drive, which opens the door to other possibilities. There are a  
number of applications on the market that are capable of capturing  
this information—Replay Media Catcher is one, Applian another—but  
what's less clear is whose fault exactly that is. Reuters implies that  
the fault lands squarely on Adobe, writing: "To boost download speeds,  
Adobe dropped a stringent security feature that protects the  
connection between the Adobe software and its players." According to a  
recent Adobe security bulletin, however, such is not the case.

In a TechNote released on 8/29/2008, Adobe discusses the security  
flaws that allow streams sent using RTMP (Real-Time Messaging  
Protocol) to be captured, and advises Flash content providers on ways  
to secure their streams. The company recommends two practices that can  
be generally applied to all Flash content. First, SWF (Shockwave  
Flash) verification should be enabled. This allows the Flash Media  
Server to disconnect any SWF files it encounters that return invalid  
verification bytes, and will supposedly prevent anyone from ripping  
content, or at least prevent them from doing it for very long. Second,  
Adobe states that stream providers should only use its RTMPE standard,  
rather than RTMP. RTMPE is an encrypted protocol Adobe created to  
provide SSL-like protection while incurring a smaller performance hit.

Without more information on Amazon's security measures, it seems  
premature to dump all of the blame for this on Adobe. At the very  
least, Amazon's decision to cache content directly to the hard drive  
practically begs someone to come along and hack it; if video-on-demand  
is good, free video-on-demand is surely better. If Amazon was using  
the full security implementation Adobe recommends, that's one thing,  
but if the company was still transmitting using the older, unencrypted  
RTMP standard, that's a different story altogether. Amazon has yet to  
implement a solution, but expect one sooner, rather than later.