April 30, 2011

How your content is restreamed

This article is intended for technical staff and managers who know how Windows Media Server works internally. I hope everybody else find it useful as well.
Lets propose we are bad guys who want to steal somebody's contents. What should we do?
First of all we will try to find somebody who is not protected from link republishing. But thanks to our previous article  there are no people who are not protected from republishing. If we are cheap thieves we will try to steal something else but not media contents from Windows Media Server. If we have enough resources we will try to restream contents.

What is restreaming from technical point of view?
1) we need to get media stream. Even if you are protected from link republishing we can open stream as an authorized user.
2) we need to save stream somewhere. Depending on our needs we probably need big some storage to save stolen content.
3) we need to stream stolen content to our customers.

Lets see how we can get media contents. First of all there are three protocols that Windows Media Server supports: MMS, HTTP, RTSP. MMS is supported only by Windows Media Server 2003 and his younger brother - 2008 Server - doesn't support it. So let's cover just HTTP and RTSP protocols.

HTTP

HTTP was not originally designed for media streaming but using binary chunking (no transport encoding applied to media stream so less data transferred through network) it's good enough for media streaming. It's widely used when media player is embedded into web pages. There is "Referrer" HTTP header related protection from republishing for HTTP protocol. When I tried to hack this protection it was not so easy to me. Additionally this protection works only for HTTP protocol. So use our solution since it's more secure and works for both HTTP, RTSP and even for MMS on Windows Media Server 2003.
We can re-stream HTTP stream produced by Windows Media Server using:

  1. Windows Media Server itself. Yes, the server can re-stream contents. In general this function is used for load balancing in Windows Media Server field.
  2. VLC player. This tool has command-line interface and can restream variary formats. It's opensource and if something is missing (for example you cannot add HTTP Referrer header in VLC but you can download code and add this possibility. You can change "User-Agent" as well. So patched VLC player can pretend regular Windows Media Player or even Windows Media Player embedded into Web page.

RTSP

It's supported both by 2003 and 2008 server versions and it's preferable transport protocol for 2008 server since MMS is not supported here. RTSP was initially created for media streaming and supported by many media servers and players. To re-stream WMV+WMA(ASF) produced by Windows Media Server it's not enough to support RTSP so there is software we can use to steal contents produced by Windows Media Server:

  1. As in previous case Windows Media Server itself. Actually we can protect ourself from re-streaming by Windows Media Server using our solution. You can specify supported players and it will skip others. In order to workaround this simple protection, re-streamer need to either have RTSP proxy with possibility to change "User-Agent" name. I've never heard about such proxy and even if it exists it's not such robust like HTTP proxies exists many years and works fine and very stable. So it looks like while you use RTSP + our solution, re-streamer has to move from Windows Media Server to something else. But of course he can put something first and then stream to Windows Media Server for further re-streaming. So as I said in previous article there is no simple solution for re-stream prevention.
  2. And as for HTTP, we can use VLC as well. Taking into account that we can get source and change everything we need to looks like for example Windows Media player this tool is great for re-streamers and very widely used. It's opensource and anybody can capture traffic between Media Player and try to fix re-streaming software to behave similarly.

There are a lot of commercial and free software available in Internet for re-streamers. I don't want to advertise this soft here but want to say that re-streaming in general is very complex task. It's not so easy since web pages are changing all the time, media URLs changing as well so there is no fully-automated solution where we can say "ok, here is a good site and we want to steal all of its content". All re-streamers have their own solution for stealing contents depending on what they are trying to steal. They may share their scripts of course but when the re-streamer have stolen your content, he has the same problem as you - he needs to protect his investments. It's not too rare case when contents is restolen. Yeah, it's a crazy world.

We've covered just re-streaming part but didn't say anything about how re-streamer can get valid URL to your media contents. Usually you just returns URL to content inside the web page. If that's the case, it's a bad idea since re-streamer can easily parse this page and get your link. In the next article I'll try to help you protect your media URLs from automatic grabbing.

Take a look at WMSAuth plugin for Windows MediaPaywall framework for Wowza Media Server and hot-linking protection for Nimble Streamer.


Related documentation


Paywall for WowzaGeo and IP range restriction for WowzaWowza hotlinking re-publishing and re-streaming protectionNimble Streamer HTTP hotlinking protectionNimble Streamer geo-location restriction Pay-per-view for Wowza Media ServerWMSPanel control and reporting panel for Wowza Media Server

April 18, 2011

How to know who is restreaming your content

In the previous article we described how to prevent unauthenticated usage of your computational resources. Here we'll try to define the next imminence - your users can capture and restream your content. In the next article in our technical blog we'll try to cover common approach used by re-streamers but meanwhile let's assume (and this is a truth) that re-streamer's software pretends to be a regular player (Windows Media Player, Set Top Box player etc).

    How can we determine that somebody is a re-streamer if he is an authenticated user and his software looks like regulair players? There's no simple answer here. But there are some observations about restreamers what we can use to distinguish:

  1. re-streamer typically watches many channels at the same time;
  2. re-streamer watches almost 24 hours a day everyday;
  3. if you're almost sure that you've find re-streamer try to disconnect him from his channels. His software will try to connect immediately. Human cannot do this for example in early morning and most probably this is re-streamer' software that tries to reconnect your channels as soon as it's possible to proceed with stealing your content.

These markers above are very weak in particular but together they can help us to find a violator.
So what should we do from technical point of view? We need to collect all statistics about players and analyze it. We need to get information from all servers in your WMS farm but not from individual servers since only common report from all servers can show actual picture. These statistics are very important not only for re-streaming prevention. Knowing what user watches we can process him in a special way, e.g adding appropriate adds, showing updates about new available materials he probably wants to view. As you can see re-stream prevention is much more complicated than link republishing defense - but it's not impossible though.

Currently we are in active development and testing of such analysis system and if you want to get more details about it - let us know. Once we finish we'll provide an appropriate review of this system and let you try it.

The next article in our technical blog will try to cover common approach used by re-streamers: their tools, methods etc. You need to understand what you're defending yourself from to apply appropriate methods. If you want to setup your streaming environment securely - we can help you here.

Take a look at WMSAuth plugin for Windows MediaPaywall framework for Wowza Media Server and hot-linking protection for Nimble Streamer.


Related documentation



Paywall for WowzaGeo and IP range restriction for WowzaWowza hotlinking re-publishing and re-streaming protectionNimble Streamer HTTP hotlinking protectionNimble Streamer geo-location restriction Pay-per-view for Wowza Media Server, WMSPanel control and reporting panel for Wowza Media Server

April 17, 2011

Why you need media stream protection

Why you need protection of video/audio content?

Media streaming is a business. Like any business you invest some amount of money and expect to get more money back. Those investments are:

  1. You pay for computational resourses. Currently it's most probably just virtual servers field
    or more complex solution like nScaled provides. You can use even you own hardware. No matter what
    you use - cloud or hardware - you always pay for your infrastructure

  2. There are many software solutions for media streaming. But most professionals can say that Windows Media Server

    is the best in case of high quality streaming. You need to pay for this great software and this is you investments as well.

  3. To stream something you need to pay again. People are working hard to produce high quality media content so to show something interesting you need to buy it first.

Let's imagine that there are many people who want to skip 1, 2 and 3. Yes they want their user see your content from your servers and pay them (not you). I think being media streamer you know all of this but let me finish for somebody how don't know what I'm talking about.
When you create publish point and add it to web-page you provide a link to publish point. Now user can get it, setup stream server
and capture your content. Another more common practice is to put your links to another server and provide users with links to your server.
In this case user will pay you money for one account and provide link to many people how will pay to that re-streamer. How can you avoid this?

When webmaster wants to protect unauthorized access to a site he adds autherntication by login/password pair.
User who wants to add comments or change something valued need to sign in and then perform such operations.
So how can you protect media content?
Well, you can use standard Windows Media plugins to protect publish points:
  • Access users with specific IP addresses.
  •  Using NTFS file permissions
  •  Using Windows User permissions.
Well. If you are not commertial streamer you most probably can use these three methods. If you are commertial streamer especially IPTV provider these methods are not applicable.

But you can use our or similar solution based on adding to media URL something that media server can check and either authorize user or deny request. What should we add to get to know that request was made by our user ?
Well, most probably it should be a hash where we add:
  1. user IP address
  2. server time and link validity interval to know that URL was signed in near past. This is necessary to prevent easy restreaming. If sombody wants to restream our content when server time is in URL he need to create script that login as valid user and get new links to video content.
  3. all previous user knows and can create valid link himself. So we just add secret key. This is any string what is unknown by anybody but you.
If your initial URL looked like this
mms://videoserver.net/PublishingPoint/movie.wmv
you will get something like that
mms://videoserver.net/PublishingPoint/movie.wmv?server_time=9/30/2010 10:52:01 AM&hash_value=K8TDaZxCfueiHp0GzVSAsA==&validminutes=5
From what you are protected now? You are protected from the case when a thief adds your links to his site and his users are using your resources.
Not bad, right? But some of your users can capture and re-stream your content in anyway. Take a look at investments list - we've protected the first investment - computational resources. Now nobody can just republish your links and make money on that.
They need to capture your content, store it and re-stream to his users. This is much more complicated. Most probably thief will find somebody who doesn't protect his links and leave you alone. Our solution protects your computational resources from unauthorized access. There are a lot of customers who use it and it works good. It cannot protect you from re-streaming your content.

How to protect your investment number three - the content you pay for? It's not as easy as the method described above. It's necessary to understand this - and if you need to protect your investments deeply we will describe how to do this soon in the next article.

Take a look at WMSAuth plugin for Windows Media, Paywall framework for Wowza Media Server and hot-linking protection for Nimble Streamer.

Contact us if you want solution to protect you from re-streamers.


Related documentation


Paywall framework for WowzaRestriction solution for geo and IP range for WowzaWowza hotlinking re-publishing and re-streaming protectionPay-per-view for Wowza Media ServerWMSPanel control and reporting panel for Wowza Media Server 

April 16, 2011

Welcome to WMSAuth team articles

    First of all we want to say thank you for using our product. This is very important for us that many people from many different countries are using it. We are trying to cover basic needs of video/audio content protection and make our product accessible for small business and individuals for free since we understand that making first steps in audio/video streaming, it's very important to find free, easy and robust solution to start working with. Medium and large business on the other hand can reduce or eliminate cost of video/audio stream protection since we don't offer licenses or something like that. Don't be afraid to start working with this solution, it's open source. If you are not satisfied with current features and need to add something special you can contact us.
     We provide support if it's necessary. For example you've read how-it-works but cannot understand or don't believe it's applicable to you. Or you want to just support us since we made valued feature you are satisfied. Or you need to our assistance at any development/deployment stages, web-site tuning for solution usage etc. Need to add something to the product or another feature to WMS server. We are very good here. This is an area where we make money. Don't hesitate to contact us. If you need something simple it will cost appropriately.Your support is very important to us. Support is not just a money. If you are activity related to media streaming and you want to improve something, don't wait and let us know.
     Currently we are under active development of new feature we'll describe soon. We are looking for new features to implement and you, the media streamers, can help us make valued feature for you.

    So, subscribe to our blog and be up to date with us. We will describe new features under development, our plans etc.