Thriller Media Group

Stopping content thieves from taking your Flash video content requires a little extra work and some resources.  If you follow these guidelines, then your content won’t show up on PirateBay or YouTube.

There are lots of applications and plug-ins out there to allow you to capture video streams off the Internet.  It’s so easy that you may think there is no way to protect your content at all.  The following with give you some advice on how to protect your videos and sleep better at night.  You’re going to employ some extra services or buy some software, but if your content is valuable then it’s worth the investment.

Protecting Windows Media content has been fairly easy for quite some time.  You can use the Windows Media DRM suite which will attach a digital certificate to the WMV file and require an active and valid cert to be downloaded in order to watch the video.  Although this system isn’t fool proof, it’s pretty strong and will stop most people dead in their tracks.  Microsoft is gearing up to roll out PlayReady which will plug the holes up in WM DRM.  It fully supports Silverlight in both Windows and Mac OS, and will be easy to use (so they say).  Look for a full deployment of PlayReady this summer.

But how do you protect Flash videos, specifically FLV, F4V, and MP4?  If you deliver your content via progressive download, then there will be little chance you can stop someone from taking that video from you with little effort.  Progressive download is literally downloading the file to the end user PC.  Where’s the protection?

There is no technology today to add DRM to the file itself.  Although there are some services out there that will offer something like that, they typically require you to use their proprietary Flash player in order to protect the content, who wants to do that?

So that leaves us with one option, protect the delivery of the video.  You may immediately think you can just stream the video using a Flash Media Server or Wowza server.  Think again.  Products like Replay Media Capture can snatch that stream right up.  What you need to do is stream the video using a Flash Media Server using RTMPE instead of RTMP.  You also need to disable RTMP from the server all together.  Adobe had a security warning about this awhile back.  Leaving RTMP on, allows for a back door.  RTMPE will encrypt the stream during delivery makeing it very difficult to de-compile and capture.

Are we done yet?  Nope, I’m just getting started…  What’s to prevent someone from discovering your stream name and then embedding that in their own Flash player?  You need to use SWF verification.  SWF verification will will ensure that the SWF playing the video is your SWF and not someone elses.  Again, you will need Flash Media Server to do this with.

Are we done now?  Not quite.  You’ll be delivering your SWF via HTTP to the browser, so it wouldn’t be too hard to locate that file and WGET it.  Now I have your player I can play it all I want.  What do you do now?  Use a Token based authentication with a time expiring URL.  These schemes usually use a MD5 128-Encrypted hash.  What will happen is, a unique URL will be used to play the video each and every time someone visits your site.  The URL will pass a token back to a secure server proving that the hash is authentic.  Then an time expire value is appended to the URL that will expire that link in a matter of seconds or a minute.  Nothing too long.  Access to the link is the only thing expiring, not the content.  So as long as the person has started watching the video with in that time frame, there is no problem even if the video is 2 hours long.  If they need to re-watch it, then they visit the site again and get a new URL.

All of this sounds like a lot of hassle and expense, is there an easier way?  If you deliver your videos through a CDN who uses FMS, then they probably offer all these services, you won’t have to incur any of these expenses.  Try a company called Influxis, they host FMS servers and you can setup a FMS how ever you want with minimal cost.

For a higher end solution, check out WideVine.  Widevine uses some proprietary technology which goes beyond what I’ve mentioned here.  Widevine’s intuitive DRM management tools offer total control over the encryption, key management, distribution and consumption of digital media. Using Widevine Cypher, pre-configured policies, digital rights and encryption are applied to inbound assets, automatically registered with Widevine and the CMS, then uploaded to a destination partner network or CDN.  Just know, that WideVine doesn’t come cheap!

I hope this information is useful for you.  Like all security on a computer, as soon as you plug a hole, another one is dug.  The goal is to stay one step ahead of the bad guys.

If you have any questions about this topic, please feel free to post them here and I will respond.

Thanks,

Mike Colburn (DigitalMediaGuy)

Stopping content thieves from taking your Flash video content requires a little extra work and some resources.  If you follow these guidelines, then your content won’t show up on PirateBay or YouTube.

There are lots of applications and plug-ins out there to allow you to capture video streams off the Internet.  It’s so easy that you may think there is no way to protect your content at all.  The following with give you some advice on how to protect your videos and sleep better at night.  You’re going to employ some extra services or buy some software, but if your content is valuable then it’s worth the investment

Protecting Windows Media content has been fairly easy for quite some time.  You can use the Windows Media DRM suite which will attach a digital certificate to the WMV file and require an active and valid cert to be downloaded in order to watch the video.  Although this system isn’t fool proof, it’s pretty strong and will stop most people dead in their tracks.  Microsoft is gearing up to roll out PlayReady which will plug the holes up in WM DRM.  It fully supports Silverlight in both Windows and Mac OS, and will be easy to use (so they say).  Look for a full deployment of PlayReady this summer.

But how do you protect Flash videos, specifically FLV, F4V, and MP4?  If you deliver your content via progressive download, then there will be little chance you can stop someone from taking that video from you with little effort.  Progressive download is literally downloading the file to the end user PC.  Where’s the protection?

There is no technology today to add DRM to the file itself.  Although there are some services out there that will offer something like that, they typically require you to use their proprietary Flash player in order to protect the content, who wants to do that?

So that leaves us with one option, protect the delivery of the video.  You may immediately think you can just stream the video using a Flash Media Server or Wowza server.  Think again.  Products like Replay Media Capture can snatch that stream right up.  What you need to do is stream the video using a Flash Media Server using RTMPE instead of RTMP.  You also need to disable RTMP from the server all together.  Adobe had a security warning about this awhile back.  Leaving RTMP on, allows for a back door.  RTMPE will encrypt the stream during delivery makeing it very difficult to de-compile and capture.

Are we done yet?  Nope, I’m just getting started…  What’s to prevent someone from discovering your stream name and then embedding that in their own Flash player?  You need to use SWF verification.  SWF verification will will ensure that the SWF playing the video is your SWF and not someone elses.  Again, you will need Flash Media Server to do this with.

Are we done now?  Not quite.  You’ll be delivering your SWF via HTTP to the browser, so it wouldn’t be too hard to locate that file and WGET it.  Now I have your player I can play it all I want.  What do you do now?  Use a Token based authentication with a time expiring URL.  These schemes usually use a MD5 128-Encrypted hash.  What will happen is, a unique URL will be used to play the video each and every time someone visits your site.  The URL will pass a token back to a secure server proving that the hash is authentic.  Then an time expire value is appended to the URL that will expire that link in a matter of seconds or a minute.  Nothing too long.  Access to the link is the only thing expiring, not the content.  So as long as the person has started watching the video with in that time frame, there is no problem even if the video is 2 hours long.  If they need to re-watch it, then they visit the site again and get a new URL.

All of this sounds like a lot of hassle and expense, is there an easier way?  If you deliver your videos through a CDN who uses FMS, then they probably offer all these services, you won’t have to incur any of these expenses.  Try a company called Influxis, they host FMS servers and you can setup a FMS how ever you want with minimal cost.

For a higher end solution, check out WideVine.  Widevine uses some proprietary technology which goes beyond what I’ve mentioned here.  Widevine’s intuitive DRM management tools offer total control over the encryption, key management, distribution and consumption of digital media. Using Widevine Cypher, pre-configured policies, digital rights and encryption are applied to inbound assets, automatically registered with Widevine and the CMS, then uploaded to a destination partner network or CDN.  Just know, that WideVine doesn’t come cheap!

I hope this information is useful for you.  Like all security on a computer, as soon as you plug a hole, another one is dug.  The goal is to stay one step ahead of the bad guys.

Thanks,

Mike Colburn (DigitalMediaGuy)

You may be asking yourself, what is a Flash Player?  or Why do I need one?  I have my Flash videos, won’t Internet Explorer or Firefox play them?  Have you ever tried to play a .FLV file on your computer?  You probably weren’t too successful in doing so.  .FLV is not a format that Windows Media Player or QuickTime player supports.  You can’t just link to a FLV file on your web page and expect the video to play like you would if it were a WMV or MOV file.  So how is it, that all these web sites have a Flash videos on them?

Whats unique about Flash is that you can create a customized player that embeds in a web site and plays the .FLV (and some other formats) on the web site.  There are stand along FLV players you can get for your desktop, but most people don’t have those installed because FLV isn’t the type of video file that gets downloaded to a computer.  It’s main purpose in life is play through a web browser.

In the old days (about 5 years ago), the idea of Flash and Video together was silly.  There was no FLV format and you had to embed the video file into a SWF, making the SWF a huge file.  The video wouldn’t play until the whole SWF loaded.  A lot of that changed as the FLV format became widely used.  The FLV would play through a Flash Player and supported progressive downloads (meaning you can watch the video as it downloaded).  Then along came Flash Media server and streaming and now the fun really started!  To read more about the differences between streaming and downloading, click here.

What exactly is a Flash Player?

Using an application like Adobe Flash, you create a small application and compile it into a Shockwave File (SWF),  when the SWF is embedded on the web page, it can accept commands to play media files and FLV is one of those media files.  SWF players are usually very small and download quickly while the web page is loading.  What’s so great about creating SWF players is that they can look and feel how you want.  You can add buttons and functionality.  You can add features like chat, or interactivity, advertising, social media aspects, and easily track video usage.  Think about a little bowling game built into the player, as you are watching a bowling video you can play the game.  All those nifty little animated advertisements you see on web sites, those are mostly Flash SWF files.

How easy is it to make a Flash Player?

Not too easy if you don’t know what you’re doing.  But there are some simple, and cost effective ways to add Flash Video to your site.  One of my favorites is the JW Player by LongTail Video.  This player is OpenSource and free to download (for non-commercial uses).  It’s one of the most popular players out there now and rightfully so.  Besides being a fairly easy to use player, it supports all kinds of plug-ins and since it’s OpenSource you can create your plug-ins or skins.

Here are some of my favorite add-on’s to the JW Player:

• Easy Advertising (they bring quality ads right into your video and you get paid)
• Viral Marketing (add embed, link and comments to your videos)
• Related videos (add a list of related videos for the viewer to see)
• Built in Google Analytics (track the behaviour of each video file)
• HD Button (click a button to swtich between HD and SD versions of the the video)
• Accessibility (Add closed captions to your videos)
• Play Lists (Create play lists displaying multiple videos)
• Player Analytics (Track player movements like, start, stop, pause, etc)
• YouSearch (Search for YouTube videos and plays them inside the JW Player)
• Dozens of pre-made skins to change the look and feel of the player

You can see that the JW Player is very flexible.  They have a great support community and will even provide tech support via email for free!

If you’re looking to add Flash Videos to your web site, there is no real reason to make a custom Flash Player.  A good developer would charge you several hundred to thousands of dollars to develop a player.  Instead use a pre-made one.  Of course there will be times when creating your own custom and branded player is essential.  When that time comes, expect to spend some money and time developing it.