Chrome Bug Makes It Easy To Download Movies From Netflix and Amazon Prime 128
A vulnerability found in Chrome by researchers allows people to save copies of movies and TV shows from streaming websites such as Netflix and Amazon Prime. From a Gizmodo report:The vulnerability, first reported by Wired (Editor's note: Wired blocks adblockers), takes advantage of the Widevine EME/CDM technology that Chrome uses to stream encrypted video from content providers. Researchers David Livshits from the Cyber Security Research Center at Ben-Gurion University and Alexandra Mikityuk of Telekom Innovation Laboratories discovered a way to hijack streaming video from the decryption module in the Chrome browser after content has been sent from services like Netflix or Amazon Prime. The researchers created a proof-of-concept (which is currently the only evidence of the exploit) to show how easily they could illegally download streaming video once CDM technology has decrypted it.Google was notified of the bug last month but is yet to patch it.
Netflix shares to rise (Score:1)
If this gets out in the wild, there will be a bunch of new netfllix subscribers...
Re: (Score:3, Informative)
Re: (Score:1)
You know, I still can't figure out why they block using IPs instead of billing data. Netflix (at the behest of MAFIAA companies) has been very aggressive about blocking VPNs [slashdot.org]. They've even blocked IPv6 [slashdot.org] because they can't figure out how to geocode the IPs. Meanwhile, many thousands of users like you and me can log into a private/corporate VPN that Netflix doesn't readily identify as being a VPN, and everything is unlocked. I have a $10/month VPS in a Dallas datacenter I use for all kinds of stuff, among which
Re: (Score:2)
If you're paying for your account with a US credit card billed to a US address, you should get US content when you login to Netflix no matter what your IP address is.
That would be correct if the license from the movie studio were "You may perform this motion picture to users who are tax resident in this area." But it isn't. Instead, it is "You may perform this motion picture in this area."
Re: (Score:1)
That would be correct if the license from the movie studio were "You may perform this motion picture to users who are tax resident in this area." But it isn't. Instead, it is "You may perform this motion picture in this area."
I believe my fellow AC's point was that the existing method of geocoding IPs is already insufficient for fulfilling the requirement of "you may perform this motion picture in this area", and that basing it off of billing data will be much more effective at doing just that, even though it does do it in a round-about, indirect method.
Though I will concede that the problem is likely that Netflix would first need to convince the dinosaurs over at the MPAA that restricting based on billing data will be more li
Viewing while traveling (Score:2)
Which is more likely to be accurate for someone whose billing address is in one country but is visiting another country on vacation or a business trip? The license prefers counting the play toward the revenue for the regionally exclusive distributor for the country in which the person is traveling, not that for the person's home. It's conceptually like visiting a movie theater while traveling.
Re: (Score:2)
I am guessing they think billing data is easier for the *general population* to manipulate.
It would become so shortly after NetFlix switched to setting availability based on billing address. Businesses would spring up almost overnight to offer US-paid NetFlix accounts to customers in other regions, if they don't already exist for VPN users.
Canadians have been buying US-based subscriptions for satellite services for years.
Re: (Score:2)
why should netflix care? They sell their accounts and that's it. The movie studios can try to sue the payment companies. Good luck.
Re: (Score:2)
People near the borders (or people looking to make a few bucks) would drive across and buy a local pre-paid card (and possibly even a Mailboxes Etc. type address) to get the content of a nearby country. They could easily sell the cards and/or the billing address to others in their country.
Make the "piracy" slightly inconvenient (Score:3)
It's all about detering the 80%-90% people just like what Microsoft did with Windows (95, 2000, XP etc.)
Heck, while Windows was a matter of entering a known CD key or downloading a volume licensed version, the VPN solution for Netflix doubles your monthly bill so you need both technical ability and a willingness to pay.
Going after the biggest VPNs (e.g. let's say public ones with more than 100 Netflix users) is like Windows activation, sort of a show stopper although it was just one more step that was never
Re: (Score:2)
I hadn't thought of the benifit this will have for Netflix. My first take was: Chome "bug" makes it easy to download videos from Google's competitors. This really helps those guys, though, unless it lasts long enough that the content owners start getting pissed at Netflix (not sure how much it matters to Amazon's "purchase" model).
Re: (Score:2)
Or people get a free 14 day trial and then quit after downloading everything they'd ever be interested in watching.
Re:Netflix shares to rise (Score:5, Informative)
For real operating system users: :0.0 out.mpeg
ffmpeg -f x11grab -r 25 -s cif -i
For toy operating system users:
install uscreencapture dshow filter, then ffmpeg -f dshow -i video="UScreenCapture" out.mp4
You are welcome.
Re: (Score:1)
For real operating system users:
ffmpeg -f x11grab -r 25 -s cif -i :0.0 out.mpeg
For toy operating system users:
install uscreencapture dshow filter, then ffmpeg -f dshow -i video="UScreenCapture" out.mp4
You are welcome.
Real operating system doesn't need graphics, peasant.
Re: (Score:3)
install uscreencapture dshow filter
Does that even work if a player application that uses Protected Media Path [wikipedia.org] is running?
Re: (Score:1)
Isn't that going to result in horrible sampling-frequency related tearing / juddering? When we used to do this with PowerDVD back in the nineties, I think the capture process somehow slaved the playback process to it to prevent synchronization issues..
Re: (Score:2)
i think you can grab audio via pulseaudio. linux has some recordmydesktop program, which does so as well. I guess it has ffmpeg under the hood.
Re: (Score:1)
This is how the it should be classified in their bug-reporting system:
Wontfix: notabug
Re: (Score:2)
as widevine is used by chrome, opera, vivaldi and others, there would not much be left. some msie with all its quirks and a vanishing number of firefox users.
Re: (Score:1)
No you won't.
Livshits (Score:1)
LOL!!!!
Re: (Score:1)
Its a common name in the Ukraine.
This is not a vulnerability (Score:5, Insightful)
It's a feature!
Re: (Score:1)
That's probably why it hasn't been fixed yet, maybe the Google employees working on Chrome like using the feature themselves.
DRM the poem (Score:5, Funny)
DRM will always fail.
If it is on a screen or through a speaker
I can capture and re-feature
So spend your money and waste your time
I want media I buy to be mine
I can watch it on a tv
I can watch it on a phone
I can watch it in a car
I can watch it at home
I know to this you are appalled
But any other way and we don't want it at all.
Re:DRM the poem (Score:5, Informative)
He wasn't talking about getting anything for free. He very specifically talks about media that has been bought.
Re: (Score:2)
It means that DRM has unfixable weaknesses, because part of the path cannot be encrypted.
Re: (Score:2)
It means that DRM has unfixable weaknesses, because part of the path cannot be encrypted.
It can, but it just wouldn't make for good viewing.
Re: (Score:1)
But any other way and we don't want it at all.
So why don't you create [content] yourselves partnering with like-minded people and distribute the content for free?
I think they just did.
Re: (Score:2)
So why don't you create these tv shows and movies yourselves
Probably for fear that someone else will sue me for the story, character design, or something else being "too similar" to an existing work.
I want media I buy to be mine
and distribute the content for free?
That's not what I think downright was talking about.
Re: (Score:2)
The easier answer is boycott...
Re: (Score:2)
Re: (Score:2)
Serious question: How has HDMI with HDCP failed?
Yes, it's succeeded in annoying users (with products that don't always sync properly, and heck, taking longer to change inputs on one's TV due to the delay).. But hasn't it succeeded in (unfortunately) getting rid of the "analog hole"?
Re: (Score:1)
You can video the TV and capture the audio. You can screen capture the DVD from any computer. How does HDMI stop piracy? It doesn't. The people selling the specification merely pretend it does. I like HDMI by the way. Fewer cables... it just doesn't stop piracy. Not even a little.
Re: (Score:2)
But those are all "poorer copies".
I'm still saying I don't think it's good, because of the user facing syncing issues and such.. I just think that it's succeeded _at what they attempted to do_.
HDMI != HDCP.
Re: (Score:2)
Didn't even get rid of the digital hole. The moment the master HDCP 1.x key was reverse engineered and leaked out it was game over. You can go on eBay and buy a cheap standalone box that will record a HDCP encrypted stream to an H264 encoded MP4. Sure some loss of quality but way better than an analogue hole.
Re: (Score:1)
In the Case of Prime (Score:4, Interesting)
Re:In the Case of Prime (Score:4, Informative)
Amazon Prime claims that you can "own" the movie. Problem is Prime is still just a streaming service. It's false advertising and the reason I don't use Prime for movies. If I "buy" a movie, I expect to be able to d/l to a portable drive so I can watch it when I don't have a data connection. If I subscribe to streaming service, I won't have that expecation.
I think you mean Amazon Video, the division that sells content for download and purchase, not Amazon Prime which actually is a streaming service similar to Netflix. However, by this definition, you are buying movies from Amazon Video; not just streaming. Any video content that you purchase from Amazon can be downloaded to your Android or iOS device (including an external microSD Card in the case of the former) with the Amazon Video app for later playback offline; no data connection required. We do this regularly to watch movies from Amazon while on a flight, in a car with no wifi, etc. You can even download Amazon Prime video (which you do not own) and play it offline for a certain period of time, which I believe is 30-45 days from the time of download; quite reasonable for content that you do not own, IMO.
What you cannot do is play it back on any device with a player of your choice. Amazon Video, just like Apple's iTunes, Google Play, Vudu, UltraViolet partners, etc., places DRM on all content that they sell, and it will only play on authorized devices and software.
- Stealth Dave
Re: (Score:2)
This should be called a feature. Netflix advertises itself as a streaming service. Amazon Prime claims that you can "own" the movie. Problem is Prime is still just a streaming service. It's false advertising and the reason I don't use Prime for movies. If I "buy" a movie, I expect to be able to d/l to a portable drive so I can watch it when I don't have a data connection. If I subscribe to streaming service, I won't have that expecation.
I get what you are saying but you are not describing Amazon Prime, which features a streaming video service and no claims of ownership. You are describing "Amazon Video," the option which allows you to "buy" or rent videos to stream to your computer or other devices.
Repeat after me... (Score:4, Informative)
DRM does not work. There will always be a way around it.
Re: (Score:2, Funny)
Some people believe that one day they'll figure out how to let you listen to something without you being able to record it, or show you something without you being able to take a picture of it.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
If you can see it or hear it, it can be copied. Always.
Then perhaps this Widevine breach benefits video game distributors at the expense of noninteractive video services such as Netflix and Amazon Prime. You can't see or hear video game rules; you must instead infer them from the picture resulting from their application.
Re: (Score:2)
Re: (Score:2)
Not once they deliver the content directly to your brain with DNA locked injection modules. Oh, and make all other forms of analog content illegal.
Think it can't happen? Remember how AT&T operated their network up until the 1990s?
Re: (Score:2)
Copyright law gives the copyright holder the right to dictate who can copy and for what use. That means license--contract--has legal force, and violation of license is violation of law.
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
It gives them *certain* rights. But there are limits and exceptions to those rights.
Just one example: https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
Which means, if you do not obtain a license, it is a copyright violation. And nothing more.
Re:Illegally? (Score:5, Interesting)
thanks to mpaa and friends, bypassing DRM (even if its for legal purposes!) is illegal. Documenting how to bypass it is illegal too.
In fact, if you tell google about the "vulnerability", you already commit a crime. Therefore, I think its best that google doesn't fix the "vulnerability", because if they fix it, people will find out about the details of the "vulnerability" by reading the git history, and this means google commits a crime itself.
Re: (Score:1)
Since you can easily copy any DRM'd material merely by "playing" it, this seems foolish.
Audio can be intercepted at any point after decryption. You're not bypassing any DRM in doing so. Audio DRM is like having every door in your house having a lock, but only using 1 key and keeping that key on a hook outside your front door.
For video, the process is similar although a little more technically challenged thanks to the anti-consumer HDCP implementation. You can still film the screen directly if you really
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
It's illegal without a license to do so.
It is determined by law. Are you just completely ignorant of copyright statues?
There are 2 laws, one is copyright, which regulates distribution of copies. You are not violating this law by copying a stream.
The other is the DMCA. Since you're not cracking the DRM but exploiting a flaw in the executing program, you are technically not violating the DMCA any more than if you opened your monitor up and captured the bitstream past the HDMI/HDCP connection where it is no longer encrypted.
Not unlawful ("illegal") (Score:2)
For something to be unlawful ("illegal") it needs to be in violation of a law or statute. There are no statutes prohibiting downloading anything. Clearly then it's not "illegal downloading."
A followup poster suggested that "Copyright law"... something something but no, downloading does not violate anyone's copyright. If it did you wouldn't be able to stream, make a temporary copy in your computer's cache, video GPU cache, etc.
Another poster suggested that the T&Cs form a contract between e.g. Netflix
Da fuq? (Score:1)
(Editor's note: Wired blocks adblockers)
Only in a really poor way apparently. I have an ad-blocker and can get to the link just fine.
whut evvar (Score:3, Informative)
And nearly all that content can be accessed faster and more easily via kat or piratebay.
bfd, really
Or do it the better way... (Score:5, Informative)
Netflix Disc subscription... MakeMKV + handbrake. end up with far FAR better quality rips and 100% undetectable by the copyright police.
Re: (Score:2)
Re: (Score:2)
many I rip to watch later and then delete. I honestly love the ripped movie as it starts now. while the raw Bluray takes forever with all the forced adverts. and "you are evil, dont download a car, etc...."
Re: (Score:1)
while the raw Bluray takes forever with all the forced adverts. and "you are evil, dont download a car, etc...."
What are those things? Honestly, I think my BD player has seen maybe 8 disks in however many years since I got it with the prior TV. Even my HD-DVD player has only ever seen a handful of disks.
Re: (Score:2)
Which is solved with netflix as well.
Re: (Score:2)
I found this out only after renting a Blu-Ray from netflix and realizing Windows 8.1 and Windows Media Player didn't come with the ability to play Blu-Ray.
Re: (Score:1)
Until you post about it in public, that is.
Re: (Score:1)
'illegally download streaming video' (Score:2, Insightful)
Yet another headline written by people who don't know how the Internet works.
It's not a bug. It's a feature. (Score:4)
Chrome Bug Makes It Easy To Download Movies From Netflix and Amazon Prime
When it comes to Amazon Prime, I like this bug... err feature. Owning content that can't download? I was a sucker when I bought a few things that I could have gotten on DVD. Never again.
Re: (Score:3)
Yeah, but in the case of Forbes at least, how is that useful?
Ever since Forbes implemented that blocker (which I can't get around on my work computer anyway), I find that it's been a positive effect on my web-browsing experience by preventing me from wasting my time and polluting my brain by reading Forbes "articles".
What bug? (Score:4)
For the first time ever "it's not a bug, it's a feature" is actually true.
Definitions matter (Score:2)
Is a single example produced by researchers really "easy"?
Would that qualify as making downloads "easy"?
This would be a legitimate concern (Score:2)
if Netflix had anything worth watching more than once in their streaming catalog.
Netflix seems to be the B movie depository these days.
How is this a vulnerability? (Score:2)
This one definitely qualifies for the term, "it is not a vulnerability, it is a feature". I don't see any harm by being able to record shows on my machine.
Don't look behind the curtain (Score:2)
Publicizing flaws in deployed DRM schemes only increases the pressure from Hollywood to deploy stronger, more user-hostile schemes. Please don't do it.
I can't understand this. (Score:2)
Re: (Score:2)
Because downloading a torrent is a public viewable operation. Where as capturing the stream on your browser just looks like normal legitimate viewing and far harder to trace. Therefore there is far less chance the copyright police are going to send nasty letters asking you to settle out of court for a not inconsiderable sum of money.
No surprise (Score:2)
As all DRM: If you give me the encrypted content and all i need to show it (decryption code and somewhere hidden inside the key), i will be able to decrypt it. No surprise.
But next:
Hollywood will demand the nightmare DRM. While w3c said "EME is harmless, you run the CDM in a sandbox", the movie companies will demand the CDM to be run with admin privileges to check the integrity of your video driver. And when it's established, there's nothing stopping them adding code to scan for clonecd and other signs you
Then serve ads that don't track people (Score:3)
I don't block ads. I block services that track me across websites. Serve me ads that don't track me across websites, directly from a server whose FQDN ends in .wired.com, and I'll see them. But neither WIRED nor Forbes appears to be smart enough to set this up [harvard.edu].
Re: (Score:2)
So when I setup doubleclick.wired.com, and point it's A records to a double click server so they can serve you ads, and that server also hosts doubleclick.othersite.com
The possibility of delegating a subdomain to a third party raises deep philosophical issues of what is considered to be part of someone's "domain". But I mentioned the same public-suffix-plus-one policy because it's also the rule used for the scope of an HTTP cookie. A script on doubleclick.wired.com would have a less easy time correlating me with doubleclick.othersite.com because a particular site can set a cookie only for the same public-suffix-plus-one.
But if they do figure out how to track despite lack
Re: (Score:1)
You don't need an older OS to stop the spyware (Chrome) auto-updating.
In Windows, just disable the service.
Re: (Score:1)
I agree; however, what about Chromium or SRWare Iron or even Vivaldi/Opera?
I only use Firefox anyway, as I doubt anyone has extensively analysed Chromium source code in order to search for any hidden Google tracking mechanisms or reporting techniques.
And even if the source appears to be clean, Google aren't stupid [mozilla.org], their trackers are over most websites, and through js obfuscation and ajaxing encrypted data back to Google, they may be able to trigger various reporting elements in Chromium to extract user dat