Hacker News new | past | comments | ask | show | jobs | submit login
The Quest for Netflix on Asahi Linux (da.vidbuchanan.co.uk)
662 points by _Microft on March 9, 2023 | hide | past | favorite | 280 comments

Widevine has been privately cracked/bypassed. The method hasn't been made public as it would obviously get patched rather quickly (if it even can be patched).

That's why Netflix content is available almost immediately on any decent tracker. The quality would not look nearly as good if it was grabbed using a capture card.

Like others have mentioned, it's security theater for the content owners who most likely require Netflix to have DRM in place in their contracts.

It's not even private anymore. Anyone can easily find tools on GitHub or other sites[0] that can download widevine'd content. It's easy to find L3 keys on GitHub too. There are public sites[1] that get the decryption keys but using their own keys on the backend if you cant find keys or don't know how to dump the keys. There is an all-in-one tool[2] that lets anyone with 0 knowledge of DRM to dump content from practically any site that uses widevine, costs a leg but it's meant for people who don't want to waste time finding tools and learning how to do it manually.

[0]: https://cdm-project.com/CDM-Tools/

[1]: https://cdrm-project.com/ & http://getwvkeys.cc/

[2]: https://streamfab.com/

The all-in-one tool only decrypts Widevine L3, which is the lowest security Widevine protocol according to TFA. 4k content is only available with Widevine L1. The others don't say which level they support, but I assume it's the same.

That tool says it does for 4k for HBO Max. All the other platforms (Netflix, Hulu, Amazon, Disney+) are 720 or 1080 though. Wonder whats going on there.

Perhaps HBO Max only uses L3 for all content then?

HBO Max is L1 for 1080p+ but revoked L1 keys usually work on there

This is why audio and video drm is so useless. All the cracking teams have their own methods which they don’t need to publish. Unlike video game drm where the cracks have to be published with the game.

It's actually a bit dangerous for ripping groups to do that if they're in countries friendly to western interests, because the media companies can initiate a traitor tracing protocol to figure out where the leaks are coming from and then initiate prosecutions. Traitor tracing algorithms are well known in the literature and some are undetectable.

When this game was playing out with BluRay, it wasn't possible for the media groups to directly attack the ripper makers because the primary developers were in Antigua which had a WTO ruling against the USA allowing Antiguans to ignore US intellectual property rights. I forget the political background. Later I think someone in China started doing it too. The point is though, that the tech converted (for a time) the problem from one of intractable scale to one of "if we get these two companies then the issue disappears because they're the only ones who have the knowledge". That opens up all sorts of new strategies for the media companies to pursue. They may not work, but, the situation is definitely not the same as before.

BTW video game cracks don't have to be published with the game. They can just publish the patches to the game files without releasing any tools they created to make those patches.

Not just privately either, there have been tools circulating even on GitHub.

For a L3 example there's one repo [1] that's kind of still up but not really. Still enough to show that it happened. L1 bypass has also been on GitHub briefly. However these things get deleted rather fast for obvious reasons.


[1] https://github.com/tomer8007/widevine-l3-decryptor

Just because piracy is possible doesn’t mean they should make it as easy as it can be for users.

There’s value in even minor hurdles.

They clear think it’s worth it.

> Just because piracy is possible doesn’t mean they should make it as easy as it can be for users.

> There’s value in even minor hurdles.

The hurdles only exist for the people who are paying them. It makes piracy more attractive relative to paying, by making the experience you get when you pay worse.

> They clear think it’s worth it.

They're corporations. Management is under pressure to be seen doing something about piracy and the DRM vendors saw an opportunity to sell them some snake oil.

Making the experience worse fir customers than pirates is inexcusable. Can’t watch on all my devices, that’s not an issue with pirated stuff.

Streamers work hard to make their interfaces good and recommendations valuable because that is their value add.

I suspect DRM might be added because circumventing is a different violation as opposed to just copyright infringement.

> they clearly think it is worth it.

That is like arguing that "clearly people think fax is secure, otherwise they wouldn't use it". No, it is obviously theater but other people insist you use it and while useless the effort to change it is "not worth it".

Cell pagers are also deemed secure in some places, despite being broadcast over a wide area.

Both of the technologies can be seen as "secured" by laws outlawing listening to the information sent in cleartext.

I wouldn't call it "security theatre", i would call it "security through legislation" or something along those lines.

I thought "security theatre" was a routine that promised, but did not provide, additional security, and while there is no technical security, there technically is some security, in the form of legislation.

Yeah. When nerds talk about DRM I’m reminded of that xkcd with the encrypted payload, and the crowbar. I can’t be bothered finding it.

“Security theatre” is as you’ve said something that people in these circles there around at times when it’s just not accurate.

This is such a weird blindspot for nerds. A cargo-culted relic from a bygone era where digital media consumption was worlds harder than it is now, and the argument against DRM was less wrapped in moral superiority, instead just…much more blatantly being about people wanting to pirate things.

I’ve got no doubt that a highly experienced and motivated hacker could pop any of my stuff in 5 minutes. Doesn’t mean that I’m not putting effort into securing my stuff against the garden-variety script kiddie, even stuff that negatively affects user experience.

An argument that the negative UX imposed by DRM doesn’t justify its benefits (to the content owner / distributer) is at least a little bit interesting. However “it’s annoying to get going on an OS that nobody uses” is a pretty weak argument. As is “it makes it hard to rip content from a streaming service in a way that’s very blatantly NOT in the spirit of the transaction that gave you access to the media in the first place”.

DRM isn't really about piracy, it's about control and money. They want to be able to take content from people who already paid for it, censor/edit/change content after it's been purchased, track usage, and ultimately force people to pay over and over again for the same product.

The fact that DRM sometimes slows pirates down for days/weeks/months is just a tiny bonus.

> Widevine has been privately cracked/bypassed.

Sort of.

Widevine has various levels, and there are exploits for the lower ones.

But the upper ones really only have a vulnerability if a hardware key gets extracted, and Netflix shows in higher resolutions are increasingly not available anywhere because of that. Stranger things Season 4 was only available at 720p for more than a month.

Just checked up on this, currently there are torrents available for Stranger Things Season 4.

> Stranger Things S02E09 2160p NF WEB-DL DTS-HD MA 5 1 HDR DV HEVC-FRiENDS

So either the DRM Level was reduced after the release (why would they ever do that?) or it was cracked but takes some time to do so.

It was cracked but they had to burn a hardware exploit to do so and the key was (I assume) subsequently revoked. So they are only doing it sometimes when there is a sufficient buildup of content.

Why would a capture card look any worse? Isn't it capturing lossless video output? Just because of the re-encode?

I think it's both things. Netflix, and other platforms, don't send lossless streams to you. Even at 4k. Plus, you are re-encoding it. Its like doing a VHS copy from another VHS, or creating a new JPEG image from another. Always there is a loss of quality.

Well a 1080p stream at 30 fps would be 1,5 Gbit/s -- a little outside the spec of most people's internet tubes. And 4K UHD at 30 fps would be around 5 or 6 gigabit.

It helps to capture the Netflix stream uncompressed to remove the extra compression step you'd otherwise get at capture time, and modern encoders are pretty good, I don't think most people would notice on a laptop screen.

On a 40+ inch 4K TV though, it can be quite noticeable

It's closer to VHS to DVD.

The signal remains digital, but decompressed into a raw bitstream that would be many mbps (think how big lossless filesizes get). So it has to be re-encoded but you’re doubling the compression artefacts, and can only avoid them by really dialing up the bitrate.

Maybe someone made a video encoder algorithm that’s tuned toward already compressed and decompressed video.

Though I’m in the camp of watching for quality of the story etc. rather than the crispness of the video. If it’s not worth watching in 480p, it’s not worth watching in 4K either.

A single re-encode will make a difference. But with the proper settings it will be almost unnoticeable.

Capture is not lossless. Think about a photocopy machine, every copy loses a small bit of information. Recapturing video output is a similar situation.

Why? Photocopy is obviously lossy since there is a very noisy digital-analog-digital conversion going on. But a capture card is capturing a digital signal. There should be no loss except for video decoding/encoding artifacts.

The capture itself could be lossless but would be ridiculously huge, re-encoding that to a usable file size will introduce some loss.

You're not understanding how lossy compression encoders work. Try recompressing a JPEG a few dozen times. Or take an MP3 and export it from Audacity, open the export, export as MP3 again a dozen times and see what it sounds like.

All those artifacts keep getting amplified every time you re-encode until it's practically just the artifacts. Every time you render and recompress you're losing information, it's lossy compression after all.


Thought for sure it was going to be the legendary Hank Hill JPEG meme:


I just want a picture of a got-dang hot dog!

Truly a classic.

But the loss happens during re-encoding, not during capture.

Lots of the time capture cards are returning a compressed video stream instead of raw frame data, at least for non-professional environments. I don't know too many amateur streamers handling SDI around their house.

In practice, that difference doesn’t really matter because almost no one is going to store their captured, already-lossy material in a lossless format.

If you know you have to recompress and want to reduce unneccessary artifacts, you do. But beware that uncompressed video in 8 bpc (not HDR) 1080p @ 30 fps is 1,5 Gbps so you'll need 1,3 TB to store your 2-hour capture :)

But JPEG purposely discards information to save space. A digital stream is copied directly, only a codec would subject it losing information

Like the codec used to get the stream from Netflix to you, to be decompressed for the capture card (so lossless capture of a lossy source) and then back through x264/265 so lossy compression on a lossy compression. Just because there is a capture card in the middle doesn't stop it going through multiple lossy steps.

But if you want to share it or store it, it is not practical to keep the raw data. You will have to re-encode.

> except for video decoding/encoding artifacts

Which is... lossy

> The only officially supported way to use Widevine on Linux is using Chrome on an x86_64 CPU.

To be precise it is "The only officially supported way to use Widevine on Linux is using Chrome on an x86_64 CPU using glibc."

In other words, even though I have x86_64 cpu, since I'm on alpine, I'm fucked anyway.

If you are using alpine as a desktop distro, don’t you have bigger problems than Netflix not playing?

(also how are you even using alpine for desktop. I tried to look it up once and gave up soon)

Not really, honestly these days it works pretty much fine. Basically only issue I have is the DRM and I can live without it.

Are you using some specific distro based on alpine, or just alpine?

Just alpine. Works fairly well, I rarely have problems. Except the DRM, but I don't care that much.

Things have improved. Both alpine and void-musl are usable desktops nowadays; my DAW is on the latter.

What DAW are you using, by the way?

QTractor. I used to master with Jamin but the master_me LV2 turns out to be easier to use (for me). I also use giada for live looping and mixxx for DJing, all of which work great on musl.

I see Alpine Linux uses musl instead of glibc. Theoretically, couldn't you install or build glibc anyway and launch Chrome with LD_LIBRARY_PATH=/path/to/glibc?

You should see all the "system" libraries I have sitting in /opt/<app>/lib for each <app>

I've danced this dance at some point, I wanted to do things right and "reward content creators". Then I gave up.

Paying money and having to install a proprietary browser and run proprietary software to stream low-quality video (not download, or move to a different device), if the company deems it available to you at that particular place and time.

Meanwhile torrents let you start watching most content in under 30s, at whichever quality you'd like, in a convenient mkv you can stick anywhere.

No thanks. I'll stick to patreon and buying albums to assuage my guilty conscience and reward content creators.

Which is odd because there's lots of ARM Chromebooks. I'm typing this one one right now.

So they have a working version of this internally obviously. I guess they just don't ship it stand-alone?

In the featured article, it delves into this a bit:

> Earlier, I said that 'Widevine-in-Chrome-on-Linux-on-aarch64' is not an officially supported platform.

> I lied.

> Chromebooks exist, many have aarch64 CPUs, they run Chrome on Linux (more or less), and they officially support Widevine.

The whole post is worth a read. Its pretty sort and well written!

What prevents you from ALSO having glibc?

When people say glibc, they really mean ld.so + libc.so + libm.so + nss + ...

And no, glibc really only work with its own dynamic loader (ld.so), and it has to be with same version.

Again, what prevents you from ALSO having all those? You just need to point to them and run some programs that require them with those...

There can be only one ld.so in each process.

Widevine is a plugin-like .so meant to be loaded into Chrome/Chromium. Because it uses glibc, the entire process hosting it must use glibc. So, what prevents me from ALSO HAVING GLIBC CHROMIUM instead of musl Chromium? Nothing, but I hope you get that it propagates further and it's a horrible idea to just glibc everything on Alpine.

>There can be only one ld.so in each process.

Sure, but you need it for Chromium alone iirc, no?

>Because it uses glibc, the entire process hosting it must use glibc. So, what prevents me from ALSO HAVING GLIBC CHROMIUM instead of musl Chromium? Nothing, but I hope you get that it propagates further and it's a horrible idea to just glibc everything on Alpine.

Well, don't glibc everything. Just Chromium and its dependencies. How does it "propagate further"? It's not like libraries leak outside where they're told to load!

Sorry, I didn't say it clearly.

I want to use the distro (Alpine) packaged Chromium, which links to musl. Not some random Chromium build I found on the Internet. Having to use a glibc Chromium is already too far for me.

Do you suggest that in order to support Widevine, a distro (Alpine) should also build Chromium, Firefox and co also with glibc instead of the default (musl), or provide two varaints?

Even when they have a Chromium with musl as libc working perfectly fine, except no proprietary DRM support?

I'm okay with running a proprietary binary, linked to glibc, by installing the glibc alongside. I'm not okay with having to randomly change other packages already in my system (in this case, my browser) to glibc variant.

Edit: Oh, and anything Chromium depends on have to had a glibc variant.

>Do you suggest that in order to support Widevine, a distro (Alpine) should also build Chromium, Firefox and co also with glibc instead of the default (musl), or provide two varaints?

Yes, absolutely.

I'm not suggesting that it's a good thing that this is needed.

But I do suggest that it needs to be done.

Will, in the sense that, otherwise, people running Alpine will have to say "OK, as it is, we can forget Widevine and Netflix/Spotify" and leave it at that.

That said, since this is something many Alpine users will want, I'd expect to be some known "semi-official" or "reputable third party" build for this, not just "some random Chromium found on the Internet".

If not, personally I'd skip Alpine.

>Even when they have a Chromium with musl as libc working perfectly fine, except no proprietary DRM support?

Well, even then, since this doesn't change the fact that Widevine and thus Spotify/Netflix wont work.

what are reasons to choose musl over glibc? (or glibc over musl?)

> For broad-based usage, things are less likely to break with glibc. For a specific use case, that may be less important. As a dangerous generalization, musl is usually lighter on resources, but glibc is faster. If using ARM or very limited hardware, musl may in fact be faster, but with more available hardware resources, glibc usually wins, often by using non-standard optimizations (cheating).


Can't you just install glibc compat?

Maybe a flatpak would work?

wasn't Firefox including widevine for DRM stuff ? I don't have any issues playing Netflix and Amazon Video from Firefox in Kubuntu

Per the article,

> In the instance of Chrome, the browser doesn't implement the DRM itself, but delegates it to a native library referred to as a CDM (Content Decryption Module).

> This library is an opaque proprietary blob that we are forbidden to look inside of (at least, that's how they'd prefer it to be).

> Graciously, as part of the Chromium project, Google provides the C++ headers required to interface with The Blob. This interface allows other projects like Firefox to implement support for Widevine, via the EME API, using the exact same libwidevinecdm.so blob as Chrome does.

Excellent writeup. Asahi is my daily driver, but I've never had the need for either Spotify or Netflix. I guess the gospel of RMS and the FSF over the past few decades has steered me away from anything DRM-related.

In terms of freedom of using compute devices, RMS has a point.

In terms of freedom of using media, I'm less annoyed by Spotify or Netflix than I am by "purchases" of media that have DRM. It's clear that one is renting with the streaming services, but Amazon can revoke permission for me to read books I have purchased or Valve can revoke permission for me to play games I have purchased, we are truly living in a dystopia.

Instead of “buy”, they should be labeled “rentals - as long as provider exists or chooses to give you access”.

The terminology should be either "License", "Buy a License", or "Purchase<br><small>Indefinite License</small>", but it's distinctively "not renting" since it's a one-time cost to obtain that indefinite license. Renting anything implies and requires some form of ongoing cost.

What "indefinite license"? They can, and do, take content off at any time...

Yeah, that fits within the definition of indefinite. It's not a permanent license, and at time of sale, it's unknown when it ends.

Indefinite == not definite, i.e., not for a specific duration. It doesn’t mean ‘forever’.

"Indefinite" in this context means that there is no set expiration date. It doesn't mean "perpetual" or "irrevocable".

When have you ever been able to buy software? I thought in most cases you just buy a license to use the software or the license says it’s free for X types of uses or sometimes “free for everyone”.

Back when it was sold on physical media; CDs, Bluray, DVD or floppy disk. Because it was a physical disk, you were allowed to do whatever you want with that disk. You weren't given the right to copy it and distribute those copies thanks to copyright, but you were allowed to resell your one physical copy due to the first sale doctrine. Hence we can quibble about the definition of "buy software", but we used to be able to do that. It's that the first sale doctrine kinda doesn't apply if you're renting software like a SaaS over the Internet; eg Adobe Photoshop/Creative Cloud.

I don’t remember it being like that with CDs and floppy’s. I’m pretty sure most of them were still a license to play.

Looking at my Diablo II (version 1.0 2000) and Warcraft III CDs I am given a license key and agreement to an EULA. Unfortunately the EULA isn’t in the box but I’m almost positive they could revoke my key and I’d be unable to play.

Blizzard trying to push renting software on us doesn't change what was legally allowed, and Diablo II and Warcraft III were after the Internet came around. Now, if you bought Warcraft I, which didn't have Battle.net support, you own that one copy, and Blizzard can't take that copy away from you. Which is to say it's bought and not rented.

"Leases"? If contract is terminated, goods go back to the owner.

Yeah the subscription services for media I like and I feel like the proposition is straightforward. I pay per month for access to a massive catalog of media. If I don’t like it I can just stop and maybe subscribe elsewhere.

It seems quite fair. There’s no mystery that it is a rental situation.

depends on the game. many steam titles don't need steam to actually run

Spotify has alternative clients like raspotify, so there you should have alternatives that don't need hacks. There's also a web client.

I use the web client, but I find myself lamenting how it's missing basic features, like playlist management (change song order, duplicate playlist); fortunately I don't use those often, but it is quite annoying.

The web client seems to install some DRM packages.

I've used ncspot extensively when on little ARM boxes - it requires a premium account, which I have, and it's just a nice little curses interface to Spotify, written in Rust, that seems to work on everything with a minimal of resource use.

raspotify/spotifyd aren't alternative desktop clients, they're connect clients, great if you want to modern-ify an old amplifier, but not useful for streaming.

All of the native desktop clients (psst, spot, etc) are missing quite a few features compared to the official client, and spotify-tui is nowhere near as nice to use.

Spotifyd can be a desktop client. It doesn’t have a UI, but you can send it commands over dbus.

Spotifyd on my laptop (often started initially with connect) is my primary method of listing to Spotify.

The web client is what requires widevine. The native clients use a custom (easier to bypass iirc) DRM scheme.

Spotify is usable with alt clients. If I was using Asahi regularly I’d probably just torrent video content that can’t be played due to drm.

> Asahi is my daily driver

I'm guessing you have an x86_64 Mac and not an arm64 Mac?

Asahi is specifically about arm64.

> Addendum: The EME API is a good thing! (kinda)

Hard agree. There was so much nerdrage when the EME was being considered for standardization, as if by not standardizing an API we'd be preventing DRM from existing. People acted like Tim Berners-Lee was stabbing the collective internet in the back when he endorsed it.

The choice was between a standardized web-based DRM, or a wild west of incompatible proprietary DRM. Personally, I'm glad I don't need Silverlight to watch Netflix anymore.

There is also the opinion that having a Wild West of incompatible proprietary garbage would result in DRM being less popular because it caused too much friction for users. Of course some stuff would still have it, but less would than the current state where it’s easy and invisible to users until you hit an unsupported system.

> …would result in DRM being less popular because it caused too much friction for users.

I agree. But that wouldn’t lead to more content freely available. It would lead to more content being locked in apps and unavailable in the browser.

Do you think they would’ve made an app for Linux? I don’t.

The dream that all content be available DRM free isn’t happening any time soon. Rights holders clearly don’t want it and I don’t think anyone could marshal a big enough boycott to change that.

So the choice is DRM or no content at all. Given that EME is a good outcome.

I don’t think Spotify web would have DRM if it required manually installing crap like silverlight. Music went drm free because it was inconvenient, and then when the drm was refined a bit, it’s all locked up so the web ui doesn’t work on Asahi.

This is completely false and easily refuted.

By the beginning of 2007, every music service that wasn’t iTunes had failed to gain traction. The record labels wanted Apple to license FairPlay. Apple refused and Steve Jobs posted “Thoughts on Music” to the front page of Apple.com where he gave the music labels an alternative - license their music to everyone DRM free.


> The third alternative is to abolish DRMs entirely. Imagine a world where every online store sells DRM-free music encoded in open licensable formats. In such a world, any player can play music purchased from any store, and any store can sell music which is playable on all players. This is clearly the best alternative for consumers, and Apple would embrace it in a heartbeat

The record labels wanted Apple to give them a cut of each iPod sold, allow variable pricing and allow more music to be bundled instead of sold as singles. Apple refused. Some other places like Amazon and MS acquiesced.

Apple then released the iPhone. But didn’t have the rights to sell music over cellular. Both sides came back to the bargaining table and by 2009, iTunes music was DRM free.

Because users are so famously reluctant to download apps? Apple would like a word with you ;)

It's mostly devs who obsess over the downloading and running of programs as if it's a great torment. Users don't care much. They're happy to go grab things from app stores or even just download and run them. Notch was able to buy a massive mansion in Beverly Hills on the back of people downloading and running his Java desktop app.

I can't download any iOS apps. Sometimes I try but it doesn't work, even though I'm using the latest web browser.

It happened for music!

I wonder why.

But it makes music the one digital good I don't torrent on the reg cuz it's easier to just search it up on Amazon than on some torrent site. (The one weird exception is discographies, since they don't sell those for some reason. For them, archivists' torrents got you covered.)

Yes but the music industry was willing. I don’t see that in video.

If anything the video industry appears to have “learned the lesson“ of the “screw ups“ of the music industry.

The mere existence of Widevine is a mystery for me. How sensible for Netflix is to invest into DRM at all?

It's not a gamedev situation, where DRM lasts long enough to make impact on initial sales. Pirated Netflix shows appear on the torrents same day, and unless they have full-stack protection from the decoder to the screen, not much can be done.

They seem to make user experience worse for nothing.

> The mere existence of Widevine is a mystery for me. How sensible for Netflix is to invest into DRM at all?

Well that investment is pretty low since Widevine is quite easy to integrate and the licensing cost is 0 for Netflix.

The thing is, you do need some Digital Rights Management somewhere. If you just have clear-text mp4 with no auth, you can just share that mp4 url, and you could watch movies directly off Netflix servers (so it would cost even more than torrenting).

You could include temporary tokens in your URLs, but then you need your CDN to be a bit dynamic.

Or you could have a completely static CDN, but the files are encrypted, and you download the encryption key off a server dedicated to DRM that will check you're properly authed. And well, here you've re-created Widevine. Widevine do provide more protections than just that, but that's just free for Netflix, they literally just have to switch some booleans.

> They seem to make user experience worse for nothing.

Yeah I mostly agree. As I mentioned before, there are some usages of DRM that are not completely non-sense. What kills me is the HDCP requirement. Many TVs have HDCP compatibility issues (for instance my Samsung TV has the two 4k60p yuv444 hdcp 1 ports and one 4k60p yuv420 hdcp2 port, so I need to chose between 4k content and true 4k resolution), while HDCP2 is utterly broken: you can find decrypting dongles for 20€ directly from Amazon.

> If you just have clear-text mp4 with no auth,

I don't think anyone's suggesting that there's NO authentication. Authentication is a relatively trivial, commonly-accepted necessary nuissance that is distinct from DRM.

> If you just have clear-text mp4 with no auth, you can just share that mp4 url,

You seem to think not having this specific DRM mandates a particular transport and authentication scheme? These are not at all related.

Really it sounds like what is being requested is that there not be non-portable binary blobs. That's it.

Netflix doesn’t do it because they want to. They do it because it’s part of the licensing agreements they sign to get content.

If it was the whole story, they'd put their own content (the rare ones for which they have 100% of the rights) with no DRM and the maximum resolution. But they don't do that.

In some cases you might get 720p (Netflix content) instead of 540p (third party) with widevine L3.

Why would they do this if they've already gone to the trouble to solve the problem for content they don't own? Just to show off by taking on unnecessary risk? The fact that they didn't build this infra specifically to protect their own content doesn't mean they wouldn't enjoy the benefit of the extra protection anyway.

The point is, the extra "protection" is worthless.

Not worthless, actively harmful to the user experience, and therefore actively harmful to the bottom line.

But I doubt the harmed people will feel materially less harmed if some tiny fraction of content isn't in harm's way while the rest still is.

It's in their interest to get rid of all the DRM, so it's a matter of setting an example. If they try to get Hollywood to stop demanding it while they're still doing it themselves, they look like hypocrites and fools. If they stop they can demonstrate the worthlessness of it and the success of their content without it and try to get others to follow.

> It's in their interest to get rid of all the DRM, so it's a matter of setting an example.

Is it?

I doubt it's a significant cost center. Plus, right management is viewed favourably by the rest of the entertainment industry. Actively going against the grain would impair their image with their commercial partners.

I honestly think they don't care at this point.

It’s not. It’s enough to deter casual piracy. There is some value in that.

If you could just right click and choose “download” for any Netflix original don’t you think that would be a problem for them?

> It’s not. It’s enough to deter casual piracy. There is some value in that.

Casual pirates wouldn't bother right-clicking in the first place unless it's to store a local copy that they won't even know how to share effectively (since they're casual).

The only thing DRM achieves for netflix is deterring new customers and hurting existing ones.

Most pirates are not subscribed in the first place. They just download something someone else had removed DRM from, which also makes it a superior experience. It only takes one pirate with a decent computer to encode a good DRM-free copy for it to be shared via BitTorrent. It is pointless to deter casual piracy when one "professional" pirate is enough to free the content.

> It is pointless to deter casual piracy when one "professional" pirate is enough to free the content.

For the piracy scene, sure. It’s irrelevant.

But for normal people the difference is huge. They may not know how to pirate content, where to go to find it, or be willing risk downloading it and getting in trouble (scary FBI warnings and ISP letters).

But once it’s trivial due to the lack of protection it will be all over TikTok and FB and WAY more people will pirate. Those are the people DRM, even light DRM, stop.

The way I like to put it is with an phrase your hear sometimes in the lock picking community. Locks actually don't really offer much protection. Their main function is to "keep an honest man honest."

Perfect saying. For DRM it needs to be effective enough to stop most people, even if that’s very weak in absolute terms.

I’ve known enough casual pirates like that in my life. People who would sign up for Netflix for one month every three years and immediately download everything and then cancel again.

The fact they can’t do that is a benefit.

> The only thing DRM achieves for netflix is deterring new customers and hurting existing ones.

Out of their more than 231 million subscribing households around the world, I don't think more than 5,000 feel the way you think. Even if 55,000 felt that way it doesn't matter.

This. DRM is a courtesy lock on a bathroom door. It makes ripping content enough of a hassle that only people who are willing to put some effort in will bother, and those people are going to find a way around it no matter what. It doesn't have to be unbreakable to have some value to the content owner.

If we accept that enabling DRM on some of their content has some value to Netflix, which it obviously does, and we accept that it doesn't impose unacceptable user experience tradeoffs, which it obviously doesn't, then it is rational for them to enable it on all of their content.

There is probably a hypothetical cost/benefit break-even point where it actually degrades the user experience a little and thus is only acceptable in cases where it is absolutely needed, but it seems unlikely this is significant enough to even be quantifiable.

> It’s not. It’s enough to deter casual piracy. There is some value in that.

Is it? Anyone is able to use obs studio these days, you know, to be an influencer. It is all I needed to "backup" offline versions of some shows for my kids before we would take a plane. I am pretty sure I could have torrented them out as well.

It's not worthless though, because if it didn't exist - some browser extension would appear the next day which adds a nice little download right next to the play button.

> a nice little download right next to the play button

This is obviously what we would actually want.

But we are talking about Netflix's motivations, not ours. And Netflix does not want this download button.

I'm not.

Buffering delays can be greatly reduced, if not eliminated entirely, by simply sending the whole file but in the past many upstream content providers insisted on limits for the amount of buffering/storage in the client.

Fortunately you can now download entire videos in the app, though they're undoubtedly encumbered by DRM of some sort.

It's probably more complexity to exclude certain content than to treat everything the same.

Technical complexity aside, it’d be a business risk to accidentally mislabel a stream as not requiring DRM too.

Netflix already labels them. They show only their original content to users which are suspected to be behind VPNs. [1]

[1] https://www.whats-on-netflix.com/news/why-can-i-only-see-net...

The consequences of mislabeling it likely vary based on the severity. Mislabeling and presenting without encryption is likely to be a bigger issue with content providers than accidentally allowing it via a VPN.

They have likely legal contracts with actors and similar which pay on a per-view basis which could sue Netflix if they would do that.

They definitely license music for their original which likely requires requiring DRM.

They would make offend influential huge organizations in the background of copyright monetization which could cause them tons of problems.

Tracking the difference would be annoying and pointless. Why do that when you can wrap it around everything and go home early?

Bingo. Netflix doesn't own the majority of the content it streams and wouldn't be able to have the catalog they have (which could be better) without providing guarantees to the rights holders of said media.

This is also why streaming video catalogs in Netflix and other providers can be anemic at times—even assuming nothing is exclusively licensed elsewhere, it's cost-prohibitive for Netflix to license all the media out there. Instead, they license popular stuff and use the rest of their licensing budget to rotate in/out a selection of less popular content.

This is the only reason why they do it. It's not just Netflix, everyone in the industry knows it's pointless, but these licensing deals mandate it and no one wants pay lawyers or extra to have it removed.

Of course they want to. Who doesn’t want to protect his or her intellectual property?

There are probably millions of people subscribed to Netflix merely because pirating Netflix content is inconvenient enough to make people rather pay. How many would reconsider this if the user experience of pirating was exactly as convenient as a paid Netflix account?

Most probably enough so that enacting DRM is the smaller price to pay.

> There are probably millions of people subscribed to Netflix merely because pirating Netflix content is inconvenient enough to make people rather pay. How many would reconsider this if the user experience of pirating was exactly as convenient as a paid Netflix account?

The people extracting the content are people who do subscribe. The user experience of the people who pirate instead of subscribing is completely unaffected by DRM because the DRM is removed by the time it gets to them.

All the DRM does is make the experience of piracy better than that of subscribing, by inconveniencing paying customers and not pirates.

Notice that the people complaining about DRM are almost never pirates, who have cracked it all already. They're people who want to pay Netflix money so they can watch Netflix on their weird Linux setup or whatever instead of just downloading whatever they want in the Netflix catalog from the piracy sites, which would be much easier.

DRM doesn't do anything for non interactive content. It's trivial to rip video and music regardless of what DRM scheme is used because the content is useless unless it's eventually presented to the viewer/listener in a non DRMd form.


You can make this argument for DRM on games, because there is no analogue hole - I can't record me playing a game and give someone else the exact same experience (although some publishers try to restrict this too, not realizing that streamers and youtubers are just giving them free advertising by playing their games).

Do people even still use the analog hole, or is it all about stripping DRM/HDCP/etc. in the digital domain these days?

netflix content is pirated the moment it gets released, so them employing DRM changes nothing

It was actually interesting to me the latest Chris Rock special which was on Netflix live recently. The first live event I've heard of Netflix doing.

It took a day to get onto the torrent sites.

So that was the first instance I've seen where buying was better than pirating.

I did see comments on the torrent sites from people who were there because their legitimate paid setup was deemed incompatible with live streams by Netflix though... Not a great incentive to keep paying.

I also wonder that about any audio/video DRM, but like most things it's probably something that is agreed upon in the many licenses that they'll protect the copyrighted material to their best ability. Even though everybody knows it's pointless and even ends up being a nuisance for some legit use cases like this story.

Just reminds me of years ago when building websites for clients they always wanted me to block right clicks and put a transparent image over a jpeg so people can't right click/save even though I told them it does nothing against people who want to copy the image. "But it's a bigger hurdle to do so!" well, not really.

> well, not really

But, it literally is.

I'm sure it's probably a requirement from all the 3rd party media companies. They didn't seem to like VPNs either. But I also wouldn't be surprised if Netflix wants it to keep high quality versions at least off pirate sites.

4k rips land on usenet super quickly though and they're excellent quality. HDCP is already easily bypassed at this point.

But probably re-encodes, so filesizes are bigger for close enough quality. A direct crack of the encryption would be best from a space-quality perspective.

Doesn’t really matter much though in most of the world as it used to though.

This is incorrect.

See the difference between a scene WEB release and a P2P WEB-Rip.

> The landscape of the WEB scene has changed in the last four years. > Subsequently, the ability to defeat DRM has become ubiquitous.


Full stack protection from decoder the screen is coming.

IIRC you can only play 4k Netflix on a smart TV which controls the entire stack from network to pixels

You know we had that, they called it HDCP. It continues to frustrate users of beamers and what not today, despite the root key being leaked for many years now. Even before the key leak, it never did anything to stop shows appearing as torrents on day one. It will never work, if pirates have to replace the TV panel with an FPGA, they will happily do so.

> It will never work, if pirates have to replace the TV panel with an FPGA, they will happily do so.

Evidence does appear to point to you being right, but I really wonder just who is going to these lengths to pirate things for other people?

A significant investment of time and money, from highly a highly skilled individual, for... bragging rights? Is there some financial motive I'm unaware of?

> but I really wonder just who is going to these lengths to pirate things for other people?

Content owners really seem to underestimate how far people are willing to go for kudos alone on setup cost if the reproduction cost is zero.

Also for some people it's a point of philosophy / concern about future-proofing. Guy I knew back in the day was the biggest torrenter around... He was stuffing a hard drive full of '80s cartoons. His attitude on it was that the creators and owners did not care if those half-hour toy commercials would be around in 100 years, but he did.

This, I've friends of mine who do this for a myriad of media. And I absolutely understand their philosophy.

Looking at video games today, riddled with DRM reliant on the server infrastructure of a finite life company makes me sad.

> Is there some financial motive I'm unaware of?

As other people already said, some people do it purely "for the just cause". But the piracy is also a literal gold mine if you're able to manage legal risks. Basically, you take ripped content and either re-sell ad-free access worldwide (Netflix is really, really limited to the first world), or make it available for free with heavy ads, or both.

Or make it available on DVD.

I know this was the incentive behind a lot of the people financially supporting the warez scene in the past.

Fun technical challenge that many people will be grateful for.

Often it’s people motivated to watch something otherwise unavailable to them. Then the technique is easy to use for other content, so why not?

An enterprising and skilled hacker or group of hackers finds rich financial backers to invest in the equipment and time necessary to build a solution. There’s probably a whole underground scene or multiple connected scenes working on this stuff, composed of both hackers and their supporters.

> but I really wonder just who is going to these lengths to pirate things for other people?

The people breaking the systems and the people doing most of the pirating are different.

DRM breaking is a fun challange to some people. You can find these kinds of people breaking all sorts of things. Browser sandbox escapes, remote code execution etc. The mindset is well described in the article here as I can only solve a problem if somebody else implies that I can't. It's a fun challenge! Plus if you do it before others, you get to feel really superior.

The actual pirating is however done by different people. Usually initially by close acquaintances of the DRM breaker, but the methods tend to spread/leak.

If I can crack any piece of DRM, or any digital restrictions, I will do it for free and release it for free. If publishers can't make paying for content more convenient than torrenting or downloading it from a random website, it is their fault. Also, the sense of accomplishment is too great to ignore once you finally crack it.

> Is there some financial motive I'm unaware of?

Precisely the opposite. We do it for free because other people do it for money.

I don't think it's that weird. People do stuff for free for a better all the time.

Nit, but I think HDCP 2 is still cryptographically secure? No leakage, no known crypto flaws on HDCP 2.3 if i remember correctly.

That being said, It's still utterly broken because you can buy HDCP 2 disabler from Amazon for 20 €

How do the cheap disablers work if the protocol isn't broken? Is someone signing devices that they aren't supposed to?

FYI, the German word "beamer" is a 'false' anglicism. The English translation is (video) projector.

Thanks! I was trying to figure out what the heck a beamer was. Didn’t seem likely to be a BMW which is the only thing I’ve heard folks in the US call a beamer.

Reminds me of when I visited friends in Germany and they kept talking about their handy and I eventually figured out that’s a cell phone.

Learned this via LaTeX :)

> IIRC you can only play 4k Netflix on a smart TV which controls the entire stack from network to pixels

Netflix won't allow TV makers to make their own Netflix app, they must use Netflix proprietary code as-is, and it's Netflix code that download chunks and forwards them to playback, while TV handles the secure video decoding, so TV can't "control the entire stack"

Also, tv boxes are allowed to playback 4k Netflix just fine without controlling the screen.

All the Netflix shows you can download on the internet do include the 4k versions.

Maybe they'll obsolete older 4k devices that are deemed less protected (though I could probably point them "a few" security flaws to Netflix-endorsed 4k devices so that every is on par), but I doubt it. I don't think anyone ever done that (720p has always been fine without HDCP, 1080p with only HDCP1, before that macrovision was non-breaking) [1], and I doubt Netflix would want to push that badly towards e-waste.

[1] There has been few cases of some devices being revoked, like Nexus 6, but it was usually long after their shelf life anyway

they do this because the board has a financial obligation to its shareholders to mitigate risk. they do this because the board also has a contract obligation to its content providers, artists and unions to safeguard against unlawful piracy.

>It's not a gamedev situation, where DRM lasts long enough to make impact on initial sales. Pirated Netflix shows appear on the torrents

This hasn't been consistently true for a while. Stranger Things season 4 did not appear in high resolutions online for a month after release.

Widevine is not from Netflix per-se but for all kind of DRM content, including that from other streaming services for all kind of media.

Furthermore it is _not_ Netflix decision, but a decision legally forced onto them by companies which whole purpose it is to make money from selling copyright which have huge legal influence in both the US and the EU. (Through Netflix does has some influence on the legal framework leading to to, but very limited compared to e.g. Disney.)

If Netflix wants to have any 3rd party content, even "old crappy stuff", they need DRM (or way more power/influence). Even for first party content due to round about legal things they might be required to have DRM, I think. (But I am not completely sure).

It's actually quite simple. DRM exists so regular users can't easily rip the stream and share it with friends. Sure, the video is already available on pirate sites. But theres a big difference between accepting a video file from a friend, and having to navigate the pirate sites (which are also full of viruses).

I think their licensing agreements probably mandate that Netflix needs some sort of DRM to check a box.

The point is to make the Netflix experience better for the average person than the experience of using a pirated source.

And - IMHO - it works.

I used to use Bittorrent quite a lot. There was a bunch of US shows I watched that were unavailable in Australia and so I had a pretty decent setup where things would automatically download when torrents were posted.

Life happened, I stopped using it and haven't really tried torrents for maybe 10 years.

I tried to get a show recently that isn't available here. Wow, that's a pretty bad experience - try to find the correct show, work out what client you need, find one that has seeders, downlaod one and the codec is wrong for my device etc

I just gave up.

I can get NVidia software working on non-standard Linux builds (which I think is a pretty high level of technical competency) but for most people getting pirated content isn't worth the effort.

By putting DRM on the content, they limit distribution to people who know how to remove it and then to people who are experienced at finding what they want on pirate sites.

TL;DR: The user experience is much better for most people. Pirated content has such a bad user experience, but people who use it have invested a lot of time working out what works and don't realize the effort it takes.

What? Piracy is so easy.

Go to torrent site, download torrent, click on file. It really couldn't be easier. There's no DRM on the torrent. If you have a semi-modern GPU you can play any codec you might download. I'm really not sure what you're talking about, unless you're going to some weird torrent site.

Piracy has a great user experience compared to paying for DRM and having to use a particular app instead of your preferred player.

I almost wrote "just wait for people to say 'no it's easy'" but I thought surely we are over that now.

I want to watch The Climb 2023 S01E01. I Google "The Climb 2023 S01E01 torrent"

First result is www.stagatv.com/series/the-climb-s01 (not linking because it is spam)

Hmm nothing else useful on the first page except this: In response to a legal request submitted to Google, we have removed 1 result(s) from this page. If you wish, you may read more about the request at LumenDatabase.org.

Ok, lets look at that. Hmm a random list of very spammy domains like 123movies dot unblockall dot org. Hmm these don't seem to work.

Ok what about my old torrent sites. No, they are all down.

ThePirateBay! Yes I remember this....

Oh where has it gone... Oh I need "The Pirate Bay Mirror" now? Oh there is a Reddit: https://www.reddit.com/r/TPB/

Ah.. I need invites. No, maybe mirrorbay dot org?

Ok, search here: Yes, found a WebRip! I remember this...

Oh.. zero seeders? Ok try another? 1 seeder? Hmm

Can I use this in WebTorrent? Hmm doesn't seem to do anything.

Ok, I give up.

Wants to watch FooBar S01E42.

Opens Netflix, but it’s not there? Huh, this show is licensed by BarBaz company, so goes to their website.

Good, it’s here. Wait… “Watch” button is greyed out? “Content is not available in your region”?

Or simply the company decided that your device is not good enough to play the video at full resolution (e.g. Apple TV does that in LG TV app), and standalone device is like 3x overpriced in local stores?

OK, searches for some random VPN (that’s the part where spammy domains and adware come into play). Finds something that seems to be working.

Or not? Searches for the problem, and oh no, the region lock is actually based on the account, and to change that you need to use a card or ID from that specific region or whatever.

Searches for this stuff (more spammy domains), finds a marketplace, gets scammed but luckily there is a buyer protection so gets refund.

Gives up, opens some popular torrent tracker/forum, downloads 2160p HDR/DolbyVision WebRip/BDRip, can watch with friends offline at a local party.

Things have changed a bit, but not much.

First, Google heavily censors results nowadays. You will get much more results with say Yandex.

Second, TPB is no longer the best public torrent host. For public sites rarbg and 1337x are better alternatives.

Also, for anyone actually doing this kind of stuff regularly, the key is to enter the world of private sites. There is more than enough public discussion around them on sites like reddit. https://old.reddit.com/r/trackers/

So, it's still really easy. Your knowledge (like TPB) is just outdated. However for people who have equivalent modern knowledge, things are simple.

See this is actually the point: It might be easy but it's going to take time. Even more-so with all the people suggesting setting up a whole software stack.

Again, it's all easy enough, but..

It's not time I'm not prepared to invest anymore.

And to go back to the point: this inconvenience is why Netflix keeps DRM.

Really? You really find it that difficult?




https://en.btdig.com/search?order=0&q=climb%20s01e01 (might be slower but just click on every magnet on there and see which one is quickest)

Took 5 seconds to find those.

You could google "top torrent sites", enter one search and be watching that show in less time than it took you to write that comment.

As others have said, it would take me a lot longer to find out which of the myriad streaming services actually have that show, and what device/app I need to actually watch that streaming service.

I could connect to my Iranian VPN which it's VPS I bought through portals available in English, type "The Climb 2023 دانلود", Click on first google Link and use google translate to find the download link in the page. Or use private trackers like IPTorrent or TorrentLeech through leecher (torrent to direct link) providers available in said countries. Will probably work on any other country/language combo with out copyrights law.

Yes, that's one way to do it. It's the way that hasn't worked for years.

The other way is fire up a VPN (I suggest Mullvad), setup port fowarding in Mullvad once time, start QBittorent, search in QBittorent, done.

Yeah, not "easy"... But there are guides.

Piracy has become slightly more difficult, mostly because of the difficulty finding good torrent sites.

I've set up Prowlarr with the recommended torrent sites and have found two torrents (h264 with 4 seeds and h265 with 9 seeds at 1080p, or h264 with 3 seeds at 480p) for your query; it took me no more than five seconds. A torrent client isn't enough these days, unless you like wasting your time on Google, but there are technical solutions for that!

Combine this with Sonarr and you can simply add "the climb". It'll download all the episodes for you, and optionally start downloading new ones once the next season comes out.

I can't find where I would watch this show legally. The local copyright lobby has set up a nice website where you can look up legal sources for TV shows, but it doesn't even list the show, let alone show the normal "not available right now" message. With legal-ish access to Amazon, Disney+, HBO, and Netflix through my accounts or those of friends, I'd expect to find it somewhere but I'm not going to bother manually searching through all that.

There's an opportunity for media companies to take Sonarr and make a version that just redirects you to the services you're already subscribed to. They'll have to find some data source for situations like "season 1 is on Netflix, season 2-4 are on Amazon, season 3-5 are on Disney and the specials are on Paramount+" but the industry have done that to itself so it may as well fix it.

Piracy is still often the easy way out for me now that I have the *darr collection set up. There was a short time where practically every streaming show was on Netflix and piracy was the stupid, difficult way to watch shows, and I actually kind of liked it. Then the industry had to fuck it up for itself by splitting off in a million different subscription services.

Hell, nontechnical people still resort to piracy despite their inability to use torrents. For many, 123-super-movie.entertainmenttonite365.biz or whatever you call it is good enough. These websites, seemingly designed as a benchmark for adblockers, are hard to find or navigate but are still considered better alternatives than the restrictive, annoying, often expensive streaming services.

My theory is that that's for one simple reason: you can find a link on Google and just start watching. No need to open seven different apps and do the search over and over again, waiting several seconds for animations and sign-ins.

Some people may do it purely because they don't have the money to spend 20 dollars on watching two episodes of a show, but the same was once true of music and Spotify mostly fixed the music streaming market for consumers, and youtube caters to the rest. Even the people using weird streaming sites don't download mp3s anymore!

sigh you can lead a horse to water. Look around you, notice that people are not pirating en masse. People prefer to just pay for Netflix. But piracy is so easy! How could this be? Could it be... you're wrong?

Google the arr stack + Plex. Should give you your own personal Netflix without much work, or so I heard...

I want to signal boost this a bit because it's so incredible once you see it. The "arr stack" is a suite of interconnected software that automates finding pirate media by integrating with a HUGE number of ways to search for torrents, Usenet, etc. It's all self-hostable and with Overseerr as "pick what to download" frontend and Plex as the media viewer, it works so well that it's a genuine Netflix replacement, so easy that parents can use it.

So, it’s easier for me to go through the trouble of finding a good torrent with seeds that download fast than just paying for Netflix and automatically stream to my iPad while I’m at the airport?

> They seem to make user experience worse for nothing.

The user experience worse for all of the Linux users who want to watch Netflix on a computer? What percentage of the market do you think that is?

IIRC, the reason for incorporating DRM was that the major studios wouldn't license anything to them if they didn't.

> Truth be told, I don't care very much about Netflix - the UX offered by BitTorrent is superior.

getting what you want fast. It is literally that easy & netflix messes it up with being nondeterministic and screaming at me trailers I've never asked for. My autistic self is o.u.t.

Netflix is designed this way because most of the time people don’t know what they want. So it’s a browse, not a search, interface. But it has search so I don’t really understand why it’s a problem to see things you don’t care about for a second before searching.

Other services are browse-mainly, too, but are far less annoying than Netflix. Their UI being so goddamn obnoxious for so long, with apparently no intent to ever change that back to something sane, was part of why I cancelled recently after being a subscriber since the DVD days. (Yes, I used the "stop autoplaying, jesus god who could possibly want that" option they finally added, but it didn't seem to affect all platforms, or else they reset it at some point, I dunno and I wasn't paying Netflix so I could go find out how they screwed it up)

Like, it's terrible specifically for browsing, so its being oriented around browsing isn't really a defense of how shit it is. Sitting there chatting with someone about what to watch and you have to keep moving from thing to thing constantly or it screams over your conversation and/or shows you spoilery, distracting shit. WTF. A few others autoplay or play clips/trailers but without sound, which still sucks but is at least better. I shouldn't have to slam the mute button every time I return to the menu just to keep Netflix from doing stupid crap it shouldn't do in the first place.

Because the search is pretty bad too, even when you know what you want and you're sure it's there.

How would you improve the search?

Better filters instead of permanently inventing new "categories".

Allow me to filter (and sort results) by playtime, IMDB/Letterboxd score, original language, whether I have watched it before, ect.

If I don't already know the name of a movie, I just need Netflix to show queries like "a French movie shorter than 2:20h with at least 3.5 stars on Letterboxd".

FYI you can turn off the auto-playing ability of trailers in your settings on the website. They will then take affect in any Netflix app you use, too. It's stupid you can't set it from the app, but I turned off autoplaying trailers the day it came out and have liked using Netflix a lot more since then.

Maybe true for English. But possibly who prefer other language dub/sub, it will be harder to find torrents.

Many judge success on this by "do i get 1080". I've found this to be incredibly deceptive for nix and DRM on netflix.

My experience has been that even managing 1080 on a nix platform the experienced quality is substantially worse. Thoughout I was going insane, but checked bitrate and sure enough netflix at 1080 was streaming at much lower rate than on windows 1080.

The article mentions there are three levels of Widevine DRM. I wonder if the level available to Linux (three) not only limits resolution but bitrate, at least as far as what Netflix is willing to serve.

Would changing the user agent to a Windows release of Chrome make any difference?

I do not know.

I jumped through all the hoops suggested at the time by the various get netflix to work on linux guides. Extensions and right browser and DRM enabled and whatever other stuff they recommended.

No dice on comparable quality.

I should add that there is always the possibility that there was some gfx driver or codec dynamic at play that I don't understand...but ultimately if it's visually noticably worse that's a fatal flaw regardless of reason.

Just goes to show that the DRM is just security through obscurity.

True for Widevine L3, which is what the article is talking about. Not true in general, and not true for L2 or L1.

I'd argue the same goes for L1 and L2. But the obscurity is provided by the silicon packaging process.

Would be nice to crowdfund a lab to break these hardware backed treachery schemes.

When you say “security through obscurity” there’s a certain understanding that we’re drawing a line between implementation secrecy (obscurity / obfuscation) and key secrecy. If we extend the word “obscurity” to include the notion of physical security, I think we’ve gone too far—even if physical security is just the physical security of a secret embedded in silicon that you have physical access to (because it is super difficult to recover secrets from silicon).

With DRM the user who owns the machine is the "attacker". The keys have already been handed to the user, he only needs to get them out. This is like hiding an API key in a public website's javascript with rot13. Very much security by obscurity.

Proper security means that the attacker should never be in possession of the key.

You’re saying that a hardware security module is like rot13?

When you say the attacker “only” needs to get them out, the “only” is doing a lot of work, there.

The standard for cryptographic security is that the attacker can do no better than brute force. And the complexity for that is usually set high enough that it is out of range for the entire computational capacity of our civilization for years to come.

I'd say handing the key to the attacker in a package that requires somewhere between a skilled reverse-engineer and a semiconductor lab to untangle falls far short of that standard.

Yes, but it only has to be done once.

While cracking the hardware is an interesting technical challenge, it is certainly not the only method. Security is only as good as the weakest link -- the human factor. Thus, piracy groups are able to use social engineering to crack Widevine without relying on advanced laboratories. See [1].

[1] https://news.ycombinator.com/item?id=29702110

The same goes for the HSMs that power the internet's certificate authorities then. If there were a precise enough CT scan that could read the current state of atoms and flash, we'd have a major security problem.

The only reason L1 doesn't prevent people from pirating 4K HDR movies is because the Nvidia Shield has a bypass, and Google is too afraid to revoke its keys (or maybe Nvidia is paying millions of dollars a year to rights holders for their 'lost sales' from pirated movies at the hands of the Nvidia Shield).

Ah the Tegra X1 bootrom exploit is the gift that just keeps on giving. I instantly bought a switch when the news came out.

At the end of the day, the user's hardware/software has to be given a decryption key for the content, and the DRM scheme is all about obfuscating that encryption key so that users can't find it.

I’d say that a key stored on hardware is not merely obfuscated, when that hardware is designed to prevent you from recovering the key.

The hardware ultimately has to decrypt and play the content, so you can use it as a decryption oracle even if you can't extract the key itself.

Sort of, within constraints. L1 both decrypts and decodes, so you can’t really use it as a pure decryption oracle, but it doesn’t matter if you’re going to re-encode it anyway.

Not that it really matters, since HDCP has been cracked. There are a lot of holes here and a lot of problems with DRM.

Eehhh at the end of the day, L1 is still almost impossible to bypass and hasn't been broken in years. So it still works, meaning it doesn't really matter even if it's security by obscurity (I dont think it qualifies for the term but anyways).

L1 has been bypassed by piracy groups for years (through social engineering). They just don't share the keys publicly because it would give their opponents an advantage. See [1].

[1] https://news.ycombinator.com/item?id=29702110

True, I didn't realize those were l1 keys. I'll have to read up on the revocation mechanism, if there is any. I'm also wondering how those keys usually leak. Is it through vulns, or just exploiting unsecure key handling?

The Nexus 6's L1 keys were dumped through a vulnerability in Qualcomm's trusted code execution environment.



Circumventing higher levels of Widevine has been unnecessary until now, since the HDCP protecting the inevitable HDMI video output has been thoroughly cracked. Pristine 1080p and 4k copies of Netflix content is widely available.

> since the HDCP protecting the inevitable HDMI video output has been thoroughly cracked

My impression is the stuff coming from the various streaming services is not captured and reencoded, but direct bit-for-bit copy of the original H.264 (or H.265) encoding (sans DRM). (Yeah, others will do reencodes later but quite a bit of the source material encoding comes directly from the streaming sites.)

You're right that there is plenty of directly stream-ripped content out there, presumably using cracks of various levels of Widevine. The makers of these tools and the groups using them tend to keep quiet about the details of the precise exploits they're using, for obvious reasons. Ultimately, there's no shortage of DRM-free 4K content, whether from streaming services or Blu-Ray, since there's always a weak point in the chain somewhere.

Yeah. With blurays, you can always extract the device key out of some Bluray player. It's an extremely poor user experience for bluray consumers to have their devices stop working for new movies, so my impression is these keys aren't blacklisted all that quickly. For the streaming sites, I have no idea. But, yeah, the cleartext bits need to get in front of the user eventually.

BluRay has two security systems. One is based on key revocation (AACS) and one is based on embedding programs written by companies contracted by the movie studios which do dynamic detection of rippers. AACS failed almost immediately because indeed, keys leaked faster than they could be revoked. BD+ proved much harder, at least in the early years. But it was only ever designed to last about 10 years according even to the sales pitch of the designers and it's older than that now, so I wouldn't expect it to be all that effective anymore especially since Intel pulled SGX from their client chips.

Capturing video via HDMI is less than optimal, since you then have to encode a 2nd generation lossy copy. Ideally, you want to decrypt the original audio and video streams before they've been decoded and sent to the display.

If it hasn't been broken, then where do all those 4K HDR torrents come from?

From cracked HDMI HDCP?

I believe that L2 would be weaker than L3 in practice, which likely explains why I've also never seen it implemented (If you know about an L2 instance I would be genuinely interested in taking a look)

> I believe that L2 would be weaker than L3 in practice

How come?

According to the descriptions I can find, L2 does cryptography in secure hardware, but video decoding in software. (as opposed to L3 that does both in software, and L1 that does both in hardware).

In L3, you can obfuscate the cryptography and the video codecs together as a unit, blurring any defined border between them. A determined reverse-engineer can inevitably unravel that obfuscation, but it's non-trivial.

In L2, there must be some interface between the hardware and software components. That interface presents itself as a very obvious weak point. As an attacker, all you'd have to do is watch the data flowing out of the cryptography hardware, and into the video decoder software, and you'd be able to siphon out the plaintext video data.

(To be clear, this is entirely "in theory" because I've never seen an L2 implementation)

security through obscurity is generally not about keeping a well known encryption scheme's keys "private". It's generally about not knowing how a system works at all. In this case (and the same for blurays actually), we know exactly how the system works, given the keys we could decrypt the content, but the keys are kept "well" protected (depending on widevine level, different levels of protection). In BluRay land enough player keys have leaked to make it basically irrelevant. It's also harder to determine whose keys are being used to decrypt, making it harder to revoke. In an online widevine world where one has to use one's baked in device keys to get the content key, its much easier to determine if a single device's key is being used an abnormal amount of time and then revoke it.

while one can view the efforts to protect a widevine l3 key as security through obscurity, its mostly there to make the effort hard enough that most people are interested in doing it, than to keep it perfectly secure.

The “security through obscurity” chant needs to die. It’s such a generalized concept it applies too broadly.

Encryption is “security through obscurity”.

Having few admins is security through obscurity; a guessing game of who is the admin?

> Or rather, that was all true at the time when I first investigated Widevine-on-Asahi, several months ago. A few weeks ago, Google decided to enter the 21st century and started shipping aarch64 userspaces on certain Chromebook models. This means that "Widevine-in-Chrome-on-Linux-on-aarch64" does exist. The ChromeOS blob extraction process works as before, and the Pi Foundation conveniently packages it as a .deb for Pi users.

Not the point of the article but this is great news that I learned just now. I can finally upgrade to aarch64 chrome on my Raspberry Pis.

Anyone who knows some technical detail about Widevine, please could you explain what is the difference between L1 and L3 (other than resolution/quality)?

How does each interoperate with EME?

And what sort of process would one need to do, to be able to view an L1 stream on a bespoke Linux distribution, rather than the L3 stream that this person received? How difficult is it to do, and what are the specific challenges?

EME is just an API to access the native code.

Levels are primarily about various kinds of hardware protection, I think. The lowest level just uses ordinary software obfuscation in the widevine library that this article is about, and regular updates to change the media keys.

Higher levels integrate more with special hardware "APIs" of various kinds. I think you generally cannot play the highest levels on PC hardware at all, it's more meant for Apple TVs and other such devices. Other levels may require things like the Windows protected media path, which lets you upload encrypted video data to the GPU and then it's up to the GPU firmware to decrypt it. So then it becomes a question of understanding how the GPU is decrypting the data and defeating that.

The target site is intermittently experiencing the HN Hug of Death, so if you have trouble accessing it, here's an archive link:


The link in the webarchive pointing to the gist of the script is wrong, for what ever reason (at least the name of the script is completly different). This is the correct gist: https://gist.github.com/DavidBuchanan314/c6b97add51b97e4c3ee...

It's the same script, just an earlier revision.

I was looking into this very problem yesterday! Terribly scared by widewine, I ended up building webkit with eme support enabled, then enabled the relevent setting in the nyxt browser. Seems to be working fine so far.

So are you using Widevine?

In the end yes, although it was much easier to get working than the authors adventures with firefox

Does this actually get 1080p? I thought L3 was limited to 720?

L3 is weak enough that you can dump it by just hooking the decoders.

> Most streaming platforms will limit you to only "HD" content on L3 (as opposed to 4K on L1). On Netflix, this upper limit is 1080p (although it might depend on the specific content you're trying to watch?), but you are further limited to a mere 720p by default. For some reason, you can only get 1080p if your client asks nicely for it (at the protocol level), and there are browser extensions that do this for you automatically.

Entirely depends on what the streaming service feeds you. IIRC Disney+ drops you to 480p.

As a linux user i skimmed the page and realized about half way through that i'll just pirate stuff anyway and never deal with that kind of bs.

Piracy is increasingly becoming the ONLY option for many people. It's fascinating how this industry became it's own worst enemy.

Netflix quality is crap on Linux, I just torrent everything as it is simpler and I can use a player that allow me to put the subtitles where I want. I know I say this bluntly but I came to a point where I cannot get all this nonsense about not trusting the user. I buy music on band camp that I do not "distribute". I do not believe removing DRM would yield to higher unauthorized distribution.

Also do not be fooled by resolution, low bitrate 1080p can look worse than 480p, and many services are quietly throttling bandwidth.

High quality 1080p should be 8-10mb/s.

Can one use "Kigo Netflix Downloader" in a WINE or native install for linux if they have one - and then play with VLC?


(not associated with them)

That company doesn't look dodgy at all.

I don't remember about Netflix but Prime Video on Linux was capped to HD resolution (at least one year ago) so I went back to that thing that is more convenient and free.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact