Media Wonk

Link This | Email this | Comments (0)

Adobe: Stream capture probably Amazon's fault - September 29, 2008

Without quite saying so, Adobe today strongly implied on its Flash Media Blog that any security hole that allows users of Amazon's video-on-demand streaming service to capture and copy streamed content is likely Amazon's fault, for not configuring its service to take advantage of all the security features provided by Adobe. The posting, written by Adobe's product manager for Flash Media Server Kevin Towes, came in response to a Reuters report over the weekend that blamed a "flaw in Flash servers" for exposing Amazon VOD movies to copying. Amazon launched its movie streaming service earlier this month as an eventual replacement for its Unbox video download service. In its report, Reuters said it was able to use Replay Media Capture software to capture the stream as it was being cached by the video player.

Amazon's VOD service is built on Adobe's Flash Media Server platform, which delivers content using a proprietary file format called RTMP (Real Time Message Protocol). The latest version of FMS supports encrypted RTMP files (RTMPe) as well as unencrypted files. It also supports SWF Verification, which is a system for verifying that a video player on a PC has not been altered or modified before a video stream is delivered from the server. SWF Verification is designed to thwart a popular trick used by stream-capture programs of mimicking a streaming video player or browser plug-in--which typically disable copying--to fool the server to send a stream that can be copied. For it to work, however, the content owner or distributor has to turn it on.

After disputing some of the specific assertions in the Reuters piece, Towes has this to say:

Why can stream rippers capture some content but not others?

Flash developers, content owners and IT managers have the control to enable RTMPe and SWF Verification on video players running on Flash player or AIR. Content Delivery Networks (CDNs) offer support for RTMPe and SWF Verification at their discretion. Content can also be delivered to Flash player, AIR or Flash Lite from a web server (HTTP) or through RTMP without swf verification or session authorization, this could expose the media to malicious capture.

If you would like to use these features of Flash Media Server, you can refer to the  Content Protection whitepaper or contact your CDN representative.

Does Adobe make compromises in content protection to increase performance?

No. Both the integrity of security and performance are of top concern at Adobe. Flash Media Server 3 added significant performance increases and also introduced the new RTMPe protocol.

How do I make sure I am doing all I can to keep my content safe?

Content can be protected from the packet replay technology when streaming from Flash Media Server. Adobe is encouraging all content owners to

* Use Adobe Flash Media Server 3 and RTMPe to stream content to Flash player or AIR
* Use SWF Verification
* Disable the RTMP protocol in Flash Media Server 3 when RTMPe/RTMPs is used
* If a CDN is being used, contact the CDN and ask to disable RTMP and enable SWF Verification.

In other words, if people are capturing Amazon streams it's because Amazon neglected to turn on all of the security features provided by Adobe. Either that, or Amazon's new, in-house CDN, doesn't support SWF Verification.
[Content Protection & Management]  [DRM]  [Platforms & Formats]  [Streams & Downloads]   LEAVE A COMMENT