Adobe offering free movies (offer ends when systems are patched)

by Steve Ragan - Sep 29 2008, 17:48

Thanks to a flaw in Adobe’s flash video servers, connected to Adobe’s Flash players that pretty much everyone has installed, users can record or copy content streamed online. Reuters broke the story, and even demonstrated how to pull it off.

Speaking to Reuters, security technologist Bruce Schneier called the issue a “fundamental flaw in the Adobe design,” adding that Adobe's system “was designed stupidly.” While harsh, there is no question that the problem in Adobe’s design is indeed somewhat curious.

The problem is found within the Flash video servers, which connect to the Flash players used to view content online. Users apply the player to watch movies, television shows, and other online media content. Most of this content is free, while some of it is fee based, which is why the issue stands out. Adobe is not encrypting the content; instead, it sends an order to the Flash player to stop playing the content after a certain time.

An example of this would be a movie on Amazon where there is a two-minute limit preview. However, the flaw would allow someone to copy the entire movie, paying nothing in the process. With the issue of piracy still white hot, this is bad news for paid content providers.

Why would Adobe not offer encryption for streaming content? That’s just it, it does, but to increase the download speeds of streaming media, it has disabled the feature and left it up to the content providers to protect their property.

In plain English, this means the ability to copy entire movies or television shows is the fault of the provider, not Adobe, which offers the streaming service and format.

According to Reuters, Adobe issued a security advisory on this issue earlier in the month (APSA08-06).

“Adobe is aware that third-party vendors have produced software to capture and archive video delivered via Flash Media Server 3.0. Customers using Flash Media Server 3.0 are advised that they can utilize RTMPE or RTMPTE (the tunneled version) combined with SWF Verification to provide maximum content protection,” the company said in an advisory to its customers.

Featured in the Reuters article, Amazon said its Video On Demand service "cannot be pirated using video stream catching software." By using Replay Media Catcher from Applian Technologies, Reuters proved this theory to be wrong as it was able to rip entire streams using the flaw in conjunction with Replay software.

Because Amazon sends the entire movie or television show to the Adobe player, not the browser, the stream ripper from Applian Technologies snatched the whole movie. Amazon uses Flash Server to pause the content after a set period, but this is the only level of security it is using. There are tips to get around its current security settings applied last week here.

This is a classic example of how failure to follow outlined security practices can lead to content theft. While DRM (digital rights management) and other restrictive methods of content protection have been deemed evil, most will make the case they are only evil if enforced after a person buys the content.

No matter how you spin it, using stream rippers to clone content before you purchase it is theft, simple theft.

Amazon and other providers could prevent this from happening if they use the methods Adobe outlined in its advisory. Yet, because they want fast streaming content, and users demand smooth streaming, security has seemingly been traded out in exchange for the ever-valuable bottom line.

Around the Web