Hacker News new | past | comments | ask | show | jobs | submit login
Illegal streams, decrypting m3u8's, building a better stream experience (2018) (jonlu.ca)
42 points by colinprince 3 days ago | hide | past | web | favorite | 11 comments

One of the pirate tv/movie streaming websites I look at from time to time also switched from storing their videos directly in googledocs to encrypting it first. Couple of years ago they simply used unlisted YT uploads for their pirated material. Talk about zero cost hosting.

I noticed a very interesting method one used recently where they stored video segments (2-5MB) on google with the extension ".text.png". Interestingly the files have valid PNG headers.

On google as in on one of the various google hosting services or something less intened-by-google like stuffing data in the "image" and somehow getting it cached by the crawler?

On google. And this is not using any of the proxies. Here is one such segment: https://lh3.googleusercontent.com/d/12xIEN-mfboq4CSYJS8tKq4H... ... And guess what, I just googled that URL to check which service `/d/` is associated with, and lo and behlod, someone's already explained what I was going to: https://medium.com/@laurentmeyer/deep-dive-in-the-illegal-st...

The dude ventures out to torrent a video, gets interested, and then in conclusion wants to tell Google engineers where he found it ??????????? That's great ass covering on the end bit there.

These sites are used to takedowns, whether it be because the Google account got banned or abuse was detected. Pointing out a segment is not going to change anything, if I can find this a hundred Google engineers can

Not you, the person in the article. It just seems comical that they'd intentionally go out of their way to torrent IP then turn it over to Google.

I'm curious how the PNG header is removed for each chunk when streaming the video. Is HLS just resilient enough to ignore unexepected bytes?

I would think the pirate site would be unable to parse the data it wants from the 4MB 1x1 PNG because of cross-origin restrictions. Anyone know how that works?

Same way any 3rd party content is hosted. The cors headers of the Google hosted content are set to allow all.

"Unfortunately most common desktop players do not allow you to customize the cookies and headers sent with your request." I would have thought to set up a proxy and then to connect VLC to the proxy server.

They also mention encrypted servers. Can VLC make these authentication with your own keys?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact