Adobe hole enables free movie downloads

Flaw, which rests in Adobe's Flash video servers, is giving people free access to record and copy from Amazon.com's Video on Demand service.
(From Reuters)

The story "Adobe hole enables free movie downloads" published September 27, 2008 at 8:57 AM is no longer available on CNET News.

Content from Reuters expires after 30 days.

[threerabbits]

Not sure where this guy got his information. But I'm pretty sure the stream is fully encrypted when using the RTMPE protocol. If you simply try playing a stream that contains ascii text in it, and capture the packets using packet capture s/w like Wireshark, and try searching for that ascii text, you won't see it anywhere in the data that is sent over the wire. So it doesn't appear that only certain commands are encrypted.

If he read the Security Advisory issued by Adobe earlier this month and the TechNote that was linked to the advisory, he would have read that the way some stream catching sofware works, is by making an unencrypted RTMP connection but faking the uri to appear as if it was an RTMPE connection. So if you take the proper measures to only allow RTMPE (and not by checking the protocol in the uri which is as they say, spoofable), then the stream catchers will not be able to play an enencrypted stream.

Seems like these guys should have did some homework before making statements about how "stupid" something is, or understand how something works before publishing their own wild ass guesses as to how something works.

[vlastone]

Another vapid, sensational report from CNET ? regurgitating clueless Reuters.

A business model can not be "derailed" by a few clever hackers - those who are into getting their content for free will not want FLASH files, but will download AVI files ripped from DVDs at much better image quality.

The real story - something entirely missed by the CNET experts for years - is that to date there is no easy way for most consumers to connect a Mac or a PC to their new flat-screen TV at full image quality, using the full screen resolution. Where is the SVGA or DVI-D to Component Video or HDMI connection that actually works instead of getting blotchy color, image in a black box or cut-off menus ? as is currently the case with 95% of TVs on the market? That's the #1 barrier to the evolution of digital, computer-based entertainment systems and content delivery services - being deliberately derailed by the collusion of CE and content industries. Please investigate and report on this very real issue.

[unknown unknown]

Using some stream ripping software is no more difficult than downloading any other file from the internet.
I usually don't watch a given episode or movie more than once or twice so downloading them in any form is just a waste of hard drive space for me.
A lot of sites are using HTTP to stream, though Hulu does use RTMP. I suspect if they start using encryption we'll see rippers that just take it from the flash players buffer in memory.

[SoftWary]

Bruce Schneier's characterization of this being the result of stupid architecture is exactly right. The DRM protection Adobe applied here is akin to the infamous toll-booth in the film Blazing Saddles.

But, more broadly ...

This is just one more example of how sloppy Adobe is on quality and security. Adobe has consitently been putting their own bottom line ahead of the quality and security needs of their customers. This time, the impacted customer is a big one (Amazon), so maybe this will lead to some real change. Before this, it could be argued that the easiest way to penetrate a computer is through Adobe software. Now, also it may be said that the easiest way to subvert DRM is through Adobe software. Is it that Adobe engineers are incompetent, or is it that executive leadership is incompetent? Or, are the flaws a deliberate means to drive a de-facto software rental model that cynically exploits customer naivete by leading customers to purchase the next version in the hopes that it will have less problems?

In one sense, they are the Washington Mutual of High Tech: screwing their own future, and that of their customers, in the relentless pursuit of a better quarterly result.

Can anyone really say that they need the next version of any of Adobe's products for any reason other than the correction of flaws, or for future OS compatibility? I for one don't really want to pay hundreds or thousands of dollars for some bug fixes, and some more OS shiming, a few unnecessary new features, and, undoubtedly a fresh batch of bugs.

I think Adobe would be better off with Rube Goldberg as CEO ....

[threerabbits]

It's unfortunate that such a person with such a high reputation would make such a comment. But he doesn't understand the technology at all. he may be going by what the author of the article told him, but the article is incorrect in every way. The streams are encrypted, not just certain command as he claims. And the fact that the stream could be ripped is because the service providers did not enable the proper security measures on the server. There were no "shortcuts" to make it faster by not encrypting the entire stream. The entire stream is encrypted. And anyone who bothered to do a test to verify this could easy see this to be the case. The article is false in every aspect.

I'm not sure how you can really bash Adobe on security. What sort of justification do you have for your statement "This is just one more example of how sloppy Adobe is on quality and security. Adobe has consitently been putting their own bottom line ahead of the quality and security needs of their customers."?

[SoftWary]

to threerabbits:

By request, examples of where Adobe is the weakest link:

1. A hacker contest held quite a while back ... the easy way into the target system was the Flash Player. Search news.com for the story.

2. The Acrobat security holes that hit earlier this year. Then, they patched only Acrobat 8, leaving Acrobat <8 vulnerable. Brilliant. They did ultimately get the point and fix it all.

[threerabbits]

Fair enough. But it is only logical that a piece of s/w used on over 90% of desktops is the easist way to target a system. Does that mean you're not going to use Windows? I'm getting security updates left and right. Security is tough. It's always easier to criticize than to come up with a solution. Why do you think companies want to just get rid of DRM. It's an impossible problem to solve. But somebody has to do something, and it will get broke, and there will be a response to that, and so on and so forth. If SilverLight were as popular as Flash, do you think you'd see any fewer security issues? And the SilverLight team is likely 10x larger than the FlashPlayer team. But there has to be a reason why Flash is so popular, right?

But my biggest beef is not whether there are security holes. All products have them, or will have them. My problem with this whole article is how incorrect it is factually, and the fact that the author can write such a thing without checking his facts. This is not journalism. And while he has updated the story,

http://www.reuters.com/article/marketsNews/idINN2928873020080930?rpc=44

the damage is done, and people's reputations are affected, and Adobe are left cleaning up a mess that, in this particular case, should never have happened. That's not to say there won't be a serious security flaw found in the future. But there is none here. And had he checked the facts before hand, he would have found that to be the case. But this makes for a much better headline and read.

Here's another bloggers comments which pretty much sum up my thoughts as well,

http://www.thedrmblog.com/

[inachu]

Why do that work which is such a hassle when there are frame grabbers that record video being watched then copies any sound output. file size depends on size of video screen being recorded.
this easy ripping technology has been out since 1998.

[inachu]

Why do that work which is such a hassle when there are frame grabbers that record video being watched then copies any sound output. file size depends on size of video screen being recorded.
this easy ripping technology has been out since 1998.

[threerabbits]

There are definitely a myriad of different ways to rip a stream. However, the point I'm trying to make is that this article is nonsense. It's in incorrect in every way on how the technology works. If you analyze the network data using Wireshark, you'll find that Replay Media Catcher does nothing more than make an unencrypted RTMP connection. If the servers are configured properly to reject unencrypted connections, it won't work. They are not ripping the encrypted stream. They are taking advantage of the fact that the url can be spoofed to look like an rtmpe connection is being made, when in fact one is not. But the way the service providers were checking the protocol of the connection was based on this spoofed url, not by asking the server, who knows the real protocol being used. This is what the security bulletin and TechNote that Adobe issued early this month talks about. But he obviously didn't read that or contact Adobe before writing this farcical article.

But it sure makes for a good headline and attention grabber, doesn't it? Will be interesting to see if he is held accountable for writing such rubbish without checking his facts.

[RossMoran]

I would be surprised if Bruce S did not check his facts he is pretty darn diligent.

I did notice that reuters di come up with an update to the article after Adobe fixed the hole so you have to give them credit...

But it looks like they did not fix it completely and now they are being attacked by frame buffer grabbers.

While no longer free the $14.99 downloads only cost you $3.99 :-)

Also I like the way you can what content without advertising see www.tvadfree.com

[threerabbits]

I'm telling you for a fact, that it does not work the way they are saying in the article.

And Adobe did not fix anything. There was nothing to fix. The CDN's were not preventing RTMP connections (and only allowing RTMPE) properly; they either didn't have the checks in place, or they were checking based on the uri string which is Replay Media Catcher had spoofed. If you check the protocol using the API's supplied by the Flash Media Server, then Replay Media Catcher would not have been able to make the RTMP connection which is what they used to rip the stream. They are not touching the encrypted stream in anyway.

[SoftWary]

And a couple more things ...

First, can we please go back to the days when Windows Media Player and Real Player were supported by the various streaming sites? For example, cbs.com used to be a great site. Now, only Flash is supported and not only does the user experience fundamentally suck, but also there is frequently some issue that makes it impossible to watch a show. Tonight, for example, whenever I try to full-screen the show, the video freezes. Please bring back players that were designed for people, rather than for Adobe's revenue stream?

Second, don't forget that one thing Adobe is doing here (though clearly not doing it well) is making fair use impossible. Sure, they are trying to stop pirates. but they are also blocking legitimate use that is. Thet are, to put it simply, now the bad guy ...

[threerabbits]

Adobe makes no money off the FlashPlayer? Presumably, people are choosing Flash because it provides better integration into people's websites than having an ugly box that is the same looking media player in every website. Adobe makes some money on Flash Video, but only what is streamed through CDN's. They make $0 for progressively downloaded video. And the way video is commoditized today, they likely make pennies per GB delivered.

Just curious, what sort of legitimate use are you thinking of in stealing other people's content?

[SoftWary]

Fair Use doctrine allows for one to use parts of copyrighted works, without permission. For example, I may as a teacher present a video fragment in a film class. Technology that makes it impossible to do so, in my opinion, is itself in violation of copyright law. Why would you not support this right, unless you yourself are with either Adobe or a major media house? Or do you just worship the authority?

Another example of fair use is: suppose I have purchased a movie, and I want to make a back-up copy? It is permissible to do this, and this has been supported in case law. Further, I should not be required to use a particular vendor's technology in order to view my backup. What if the reason I require to use the backup is that I have changed my system in such a way that it is -not- supported by the Flash player and/or cannot connect to the content provider's Flash Media Server?

To put it more simply: if I want to throw out my VCR, it is legitimate for me to capture all of my VHS movies to my computer. I am protected by the fair use doctrine in doing exactly this, so long as I do not, at the same time, sell all my VHS movies or otherwise make them available to others. That is a simple fact. And, Adobe is making this kind of reasonable behavior impossible.

[singularitydesign]

It sounds like the blame for this problem is being placed 100% on Adobe, but based on what I'm reading, shouldn't part of it go to Amazon for streaming the full movie file when they are just trying to deliver a 2-minute preview? Am I nuts in thinking that if they had a separate set of preview files that were just 2 minutes long that this entire problem would disappear for them?

It's not the first time that a lazy attempt at "security" leaves content exposed to someone willing to take a few extra steps. Flickr tries to mask certain photos from being savable by visitors by overlaying them with a transparent GIF file, but you can still View Source and find the main image URL to grab.

[threerabbits]

This is not really Amazon's fault either. To encode a 2 min clip of EACH movie is probably a lot of effort. The issue lies with how the protection was setup. And basically, the server providers did not ensure that if a customer asks for the use of encrypted streams (i.e. rtmpe), that ONLY rtmpe connections can be made to access that content. The way Replay Media Catcher got around this was by spoofing the rtmp url used to connect to the server. They made an rtmp connection, but made it appear it was an rtmpe connection by changing the url. But had the service providers been checking the protocol using the facilities provided by Flash Media Server, rather than simply checking the protocol on the uri (which is spoofable), this never would have happened. And that's precisely what the security bulletin and TechNote that Adobe published earlier this month talks about.

What's lost in all this discussion is that the article was basically incorrect in everything it reports. Now there is all this talk about Adobe don't know what they're doing, etc. Maybe they don't. But I think it would be better to debate based on the facts than on fiction, which is what this article is.

[FourWheelVibe]

The Adobe FMS Product Manager has posted details debunking the Reuters story on his blog - http://blogs.adobe.com/ktowes/2008/09/encryption_and_streaming_media.html

[VideoCTO]

It does not sound like Kevin "debunked" the article.

I think what Adobe is saying is that Reuters uncovered a security flaw in the Adobe/Amazon solution.

I think they have also shown that RTMPE is not an adquete subsitute for a proper content secutity solution. Link level protocol scrambling is only part of the need. Also it has shown that RTMPE is a tool that is subject to human error and misconfiguration.

Since Adobe states in thier documentation that RTMPE does not perform a key exchange, this means that the keys must either be embeded in the Adobe client or it is not really encryption but instead may be just obfuscation or mutation. None meet the robustness requirements for key management and key generation that are typcally found in the major motion picture security guidelines.

In the digital media space where content passes through many hands and networks it is important to have perisitent encryption from the point of encoding to consumption. With persistent then any streaming, P2P or PDL server could be used.

Additionally the Flash Player does not have protections post the decryption function which is why the newer tools (WM Capture) mentioned by Reuter's Update 1 seem to still be effective.

It appears that Amazon/Adobe have only moved the attack points both up and downstream a little bit.

I think a proper DRM is in order here to protect all the VOD distributers reveune streams.

[justinbeard]

Looks like the real issue is an ability to stop the stream/screen recorders that copy the video after the encryption is unwrapped. Is there any technology out there can prevent screen recording of Adobe Flash?

[WidevineGlenn]

Try www.widevine.com

Widevine offers a technology that protects the content before after decryption from recorders called Cypher DCP or Cypher Digital Copy Protection.

http://www.widevine.com/internet_digital_media.html

for a demo see http://www.widevine.com/digitalmedia/demo/demo_16_high_noloop.swf

[soiapper]

so good!!!

[fibrewire]

If you can see it, it can be recorded

Any security model depends of the end user being trusted - just like any online banking or other e-commerce website. Once the video is being displayed on the screen, it can be stripped from the video buffer of the graphics card and the audio buffer of the sound card, albeit any kind of security software being used. The MPAA and RIAA has been aware of this since the dawn of the internet, and have already learned their lesson - a best effort option can only rely on the legality of the software player, and if in violation - corrective civil law will run its course. fin.

[WidevineGlenn]

Actualy the Widevine Cypher DCP software prevents grabbing from the video and audio buffers.

But you are correct, there are many layers to solving the problem both technology and legal.

First you must put copy protection in place and then you can take legal action if someone circumvents the copy protections.

The basic problem in the Adobe case is that the copy protection in RTMPE is just protecting the link between the server and the player. So in the player and after the player there is NO copy protection being circomvented by the screen recorders. However if you add something like Cypher DCP and you circumvent DCP then Amazon and the studios could take legal action.

[fibrewire]

Actually...

Someday, we as a people will come to understand that trying to patent a particular type of brush stroke, or trademark a common word in any language, or license the use of a particular thought , is a ridiculous notion. Of course if the powers that be are left unchecked, who is to say that someday for a small fee we will have the ability to watch an amazing and enlightening spectacle, only to have it expire from our minds the following day...

[WidevineGlenn]

Actualy the Widevine Cypher DCP software prevents grabbing from the video and audio buffers.

But you are correct, there are many layers to solving the problem both technology and legal.

First you must put copy protection in place and then you can take legal action if someone circumvents the copy protections.

The basic problem in the Adobe case is that the copy protection in RTMPE is just protecting the link between the server and the player. So in the player and after the player there is NO copy protection being circomvented by the screen recorders. However if you add something like Cypher DCP and you circumvent DCP then Amazon and the studios could take legal action.