4K streaming content is hit or miss because most services lock that behind Widevine L1, which requires implementors to use a secure enclave and the entire signal path to use strong encryption. If an L1 implementation gets compromised it quickly has its keys revoked and is downgraded to L2/L3, so piracy groups have a limited time window to dump as much 4K content as possible. Those lower Winevines tiers are permanently broken though so everything is immediately available in at least 1080p.
4K Blurays are currently always ripped due to an unfixable compromise in Intel SGX allowing PowerDVDs keys to be extracted, they could close that hole by revoking PowerDVDs keys for new Bluray releases but they haven't done that yet. I imagine they will at some point because PowerDVD requires SGX to play UHDs, and Intel stopped supporting that on newer consumer hardware, so 4K Bluray playback on PCs is effectively being phased out.
But the display panel itself still receives an unencrypted LVDS signal, which should not be too hard to decode. There are (were?) also cheap HDMI splitters that conveniently strip HDCP.
Your only issue is that yes, you can't get at the original compressed video stream and have to reencode, possibly losing a tiny bit of quality.
That is true, but ripping content in that way is a much bigger burden on piracy groups since it has to be done in realtime, can't be done in parallel without multiple expensive hardware rigs, and metadata like subtitles can't be extracted automatically. Rips of streaming shows often have a dozen or so subtitle tracks and nobody is going to transcribe and re-time all that by hand if they can't decrypt the stream directly.
Actually now I think of it that doesn't matter since you could just pull the subtitles from the weakly protected 720p version then apply them to the higher resolution versions. Ripping the 4K video through LVDS or HDMI capture would still be annoying though.
I don't know the burden is as big as you imagine. I used to run a torrent site that was 99% recorded shows through capture and we still had every single broadcast show uploaded within minutes -- and no uploaders were getting paid, they were just bored and doing it for the Internet points.
edit: also to add, we would get employees at the studios send us discs with the new shows before release, but I had agreements with at least one studio to not allow uploads until after broadcast if we received any of their media
Another complication for LVDS capture is that HDR content is always tonemapped/filtered (OLED ABL etc) before it is sent to the panel, and that processed version is what you would get with LVDS capture. It might be usable, but it would be a downgrade from other capture or decryption methods which grab the unprocessed HDR video.
With a $20 HDMI grabber you get 4K HDR video with full Dolby Vision or HDR10 metadata, without any tonemapping applied, én masse.
Combine that with some software mods to hide the UI at all times and you've got a perfect recording.
Re-encoding is the slowest and most annoying part of this process, but release groups re-encode everything anyway, so that's not an issue either.
DRM only hurts the legitimate customers, no one else.
I'm subscribed to the highest tiers of Netflix, Disney+, Prime Video, Paramount+, YouTube Premium, CuriosityStream, Nebula and Zattoo.
Yet often enough, I have to rip media from bluray because the streaming version only has audio or subtitles available in the local language or the quality is subpar.
>> I have to rip media from bluray because the streaming version only has audio or subtitles available in the local language
This. It's a huge problem for us expatriates living outside of their native countries - I want my son to be bilangual and as part of that I try to at least play cartoons in my native tongue - but Disney/Netflix/Prime usually only have the local language option, even though as soon as we are physically in my home country magically the same shows have dubs in local language. So all of these corporations have these options available, but decide not to show them for whatever reason. So more often than not I have to ask family to send us actual DVDs/Blurays of kids shows so we can watch them in the language we want to watch them in.
And no, VPN doesn't always help - it's flaky, it's frustrating in its stability, one day it works the next day it doesn't, it's not the thing I want to mess with nearly every other day just to play some cartoons.
Not mentioned above, but should be noted that all of this DRM is still only protecting the compressed and encoded video content. Schemes to protect the uncompressed digital video data are all permanently and universally broken or bypassed. The 'analog hole' has gone fully digital. One would think that alone would be enough to seal the deal on the pointlessness of DRM, but unfortunately there are a lot of gullible execs out there that want to keep pouring money on the fire.
As long as it stops even 100,000 people from not downloading videos off of Netflix, from an executive’s perspective, it pays for itself.
To them, it’s like saying Speed Limit signs are useless, because cars can go faster than the number posted by literally pressing a button. That’s not the point.
Yes if a particular group gets to externalise / socialise the costs of maintaining a protection then obviously from the perspective of the protected group then it's worth it.
The question is, is it good for society overall. Who or what is being protected and what impact does that have on everyone else?
Speed limit / stop signs represent a decent point of discussion I think.
And if yes, what does it mean considering that each year we lose millions of people on the roads. (To fatalities and horrific injuries resulting in permanent disabilities.) Yet the majority doesn't care?
There is no "particular group" or "everyone else". Everyone has rights over their own creative work, even if that's mildly inconvenient to others. It's part of the social contract of modern society.
Finish the thought. How do they profit from someone else's creative work? Is it a) by just taking it because they can? or b) by mutual agreement with the original creator?
By being in a dominant economic position whereby they can force predatory terms onto content creators who cannot avoid them if they want any chance of getting anything at all, or reaching a significant audience.
You're trying to use emotional language to avoid actually thinking about the question. The correct answer is b, and the alternative is just plain banditry.
You don't have an automatic right to compensation or audience for your work. Your right is that others can't take your work without your permission--i.e. that they don't own your text just because they can read it. If you have no rights over your text, then only the man with the printing press wins. When you do have those rights, you can trade them for compensation, audience, etc. and that's your choice, not theirs.
Does this mean that agreements are made between entities in unequal economic positions? Yes. But so does employment, so does freelancing, so does nearly every business ever.
Being personally dissatisfied with the current economics of publishing does not change the social contract that underlies it.
> But so does employment, so does freelancing, so does nearly every business ever.
Sure, capitalism is fucked up all the way through.
If and when you get it to the point where people can negotiate from position of equal power (also in all those other areas, yes), then I could take your ethical point seriously.
As it is, the companies that get harmed by piracy of the kind that DRM prevents are parasites on society, and the notion that the deal that they force on the rest of us though their position of economic dominance is some kind of "social contract" is laughable. Which is exactly why piracy is so prevalent - if it really were a social contract, people wouldn't do it in droves.
If you take the capitalistic lust of the corporate executive to its logical extreme, given the massive costs of the DRM tech you'd think that at least one of them would realize that they could make more money if they didn't have to pay for something that doesn't work. The economics of distributing the copies are such that it doesn't actually matter if it's easy or hard for 1 or 100,000 people to break the protection.
I work for a large streaming service and a significant part of my work is content protection.
Honestly, tech folks misunderstanding of DRM and content protection is significant. There's some assumption that people are inherently honest and that we're just money grabbing. In the years that I've been doing this I've seen a lot of things and nothing has convinced me that if we turned off DRM we'd:
1) save money
2) not have issues with piracy proliferation
The cost of DRM license issuing for our company is relatively insignificant, a year's worth of DRM for millions of users is less than the cost of a single show we might make. We pay cents per thousands of plays.
I recall we launched in a new market, we did a show which would have been an expensive PPV previously, but it was included in our standard subscription. We also offered a first month free trial, which you could cancel. So, you could enjoy it at zero cost, from the original provider in high quality, with no commitment. That night our anti-piracy team took down 20,000+ illegal streams, serving a large audience.
I also acutely know that DRM isn't as secure as we'd like, I know that all security measures are ultimately not anywhere near perfect. But you know what? I also lock my front door, even though I know how to pick locks. I put my car keys in a RFID box, despite knowing there are probably CAN attacks against my car. I still need to protect my assets, because enough people don't want to pay for something if they can get it for free.
We had some research into the attitudes of pirates that basically distils down to:
1) 1/3rd would pay if they couldn't get the content any other way
2) 1/3rd don't care enough and are casual pirates, watching because they can.
3) 1/3rd are "pay never", militant, yet still happy to take my work without concern for the sustainability of that.
Ultimately, if you like content then you should pay for it, but it's always a waste of time arguing about this on the internet because so many people are in the third category, think I'm an asshole for doing my job and apparently they know my job better than I do.
That's all beside the point. Hardware belongs to the user and should be under the user's control. Treacherous computing should be highly taboo and illegal.
The "sustainability" of Disney's profits are not important. To suggest otherwise on a site literally named Hacker News is comical.
Hacker ethos is about freedom to control what you own and put it to the purposes that you, its owner, want. DRM takes away that freedom, so it is obviously incompatible.
If that freedom makes e.g. Disney business model unsustainable, then that business model is itself incompatible with the ethos.
The argument from the other side is at least as frustrating.
> ...nothing has convinced me that if we turned off DRM we'd: 1) save money 2) not have issues with piracy proliferation
> That night our anti-piracy team took down 20,000+ illegal streams
You already have enormous issues with piracy proliferation. The money you spend on DRM may be "relatively insignificant", but it's still money being wasted on "protection" that has already proven to be utterly ineffective.
I am in neither of your three groups. I want to pay for content. I pay for a lot of music, for example. But you're not going to bully me into paying for your shit by making it as user hostile as possible. As a paying customer I expect at least the level of service that piracy groups have no trouble providing, but instead I'm treated like an enemy every step of the way.
In practice this means I avoid TV shows and movies, but when I do want to watch one I have absolutely zero moral qualms pirating a product that is not for sale. I'll even go out of my way to look for a DRM-free copy I can pay for first. This takes more time than pirating it once I inevitably find out that's not available.
The fact that it does not always work, is in no way a proof of ineffectiveness.
Otherwise, the tax system, speed limit signs, front door locks, and glass windows are also “completely ineffective.”
He is literally telling you, from his own experience in his company, it’s effective. Don’t cite a sloppily-produced research paper from somewhere to make him deny reality.
I'm not, I'm citing their own comment in which they describe taking down 20,000+ illegal streams of their already DRM-"protected" content on launch day. He's describing it not being effective at all.
Glass windows, speed limit signs, the tax system (what?) provide value to the people affected by them. DRM is a pure negative for customers.
You’re assuming it would not have been 100,000 without the DRM. You cannot prove, or cite any research, showing it would not have been much worse. In which case, it could indeed be quite effective.
The entire argument you all are having is predicated on the assumption that the presence or absence of the DRM and/or the user's ability to defeat it in some way affects a user's ability to present a stream of the content.
I am telling you flatly that the users who are producing the streams have absolutely no concern or effect from the DRM. Most probably are completely unaware of it. It's quite literally as simple as plugging your phone into your computer with a $15 cable and pressing the Cast button on a webpage.
We as nerds are privileged to recognize that the $15 HDMI capture card in the above scenario is playing fast and loose with HDCP; maybe we understand systems like ContentID that don't rely on any of this; maybe we recognize that there could be stenographic data in the output that can identify us.
Anyway my objective is to emphasize that the lack of data isn't sufficient to imply a false hypothesis. Please don't exaggerate your point in an attempt to 'balance' an argument that doesn't seem likely to support a conclusion that content piracy would be much worse without DRM.
Indeed I can't, just like you cannot prove, or cite any research, showing it wouldn't have been 1,000 if the content was accessible without arbitrary artificial restrictions on the devices consuming it.
By all means keep taking down illegal streams. I'm not excusing the people providing them. I'm saying maybe stop treating every paying customer as if they're going to do that to the detriment of the service provided. Because it is negatively affecting the service.
What I will say in response to that is that I empathise with people who have no physical ability to access content. If the rightsholder doesn't have it available in a territory and/or no distributor is willing to carry it? Who am I to say it's wrong for it to be available elsewhere.
The contrast to that is that you're not obligated to watch everything out there and just because you can't watch something isn't an offense to humanity. It's leisure, not the top of the pyramid of the hierarchy of needs.
The real problem for us is with freeloaders, people who will steal to avoid paying for the work we put in. It's not some nebulous Scrooge McDuck money pit, streaming is really hard and costs a lot of money to do right. I get to see our cloud computing bill, it is eye watering. Then you have to employ people to build and maintain 30 different apps for every smart TV, smart phone, games console, set-top box, browser, tablet, etc. Then you need people to build and maintain hundreds of backend services to provide catalogues, account management, billing and metadata. Then you need people to run the media processing, encoding and distribution. Then you need an operational support team to ensure 99.999% availability because people are passionate about what they watch. You need a rights team to get the deals, you need a legal team to arrange contracts, you need a finance team to pay everyone, you need infrastructure and IT support for all that.
Oh, and to top that all off, I have to spend significant amounts of my time dealing with patent trolls who want a slice of the action.
One thing I am looking at is a way of removing DRM, by adding invisible watermarking which would attribute every leak to an individual. But when what happens? I turn off DRM and someone releases it online. I know who did it, but am I going to get my pound of flesh? Unlikely.
One of the main reasons I have DRM is because it's contractually required. It does certainly provide a mechanism to prevent casual piracy, it provides me a control point, somewhere I can restrict playback and attribute it to a certain situation. Most people have to jump through hoops to get around the restrictions provided by DRM and that's a good thing because it does reduce proliferation. I'd actually support an alternative to DRM, some kind of trust anchor where I can trust that code run in a browser is not tampered with so I could just use things like mTLS and tokens, but there's plenty of people out there who would block such a thing and instead we have to go with commercial solutions that sit outside the standards.
I don't have any desire to treat anyone but pirates like the enemy, and it's certainly not our intention, our intention is to make everything as friction free as possible within our contractual responsibilities. But when people just want to burn the whole thing down around you and have a wild west, it's not reasonable. If you want to argue, then show me how it can be done, show me how I can protect our assets without DRM? The group I am within the business used to be called the "Revenue Protection Unit", because ultimately it was about protecting ourselves. Not to make us rich, but to make the business sustainable and unless you've seen how hard it is to make a streaming business sustainable, it's really hard to appreciate it.
I used to be the chief DRM guy at another large streaming service.
I can say 100% that the company did not want DRM as it was unreliable and customer-unfriendly, but it was the rights-holders that were badly educated and informed and would demand it in their contracts. I would suspect that is the case at a lot of other streamers too?
(the cost of the DRM was near-zero at our company)
Absolutely, I have to review contracts on almost a weekly basis, all of which say what I have to do and it's usually waaaaay worse than anyone here would want.
I spend way too much time pushing back on over zealous requirements.
I'm gonna be extremely blunt given that I have you in my audience, large streaming media worker bee: It's not surprising in the slightest that you have a bias towards the effectiveness of DRM when your livelihood depends on it. The fact that the unit-cost is "relatively insignificant" is simply a continuation of the straw man argument that props up the entire notion that DRM is somehow cost effective. I don't personally think you are a jerk or anything for working your job, but I can say that I would not personally find it fulfilling to spend my own career on something with such diminishing returns. I guess all of those insignificant expenses add up to some good money in the end, at least in someone's opinion. The incentive to continue burying the failed promises of DRM and keep it propped up as long as possible is evident though; the story really hasn't changed in the 30 years or so that I've been following it.
The lack of a "save video" button in the player app is the most effective means to prevent the average person from distributing the content. By your "lock on the door" analogy, a UI that does not allow the thing you don't want your users doing is providing more or less equivalent protection to the DRM. It doesn't matter how many locks you put on your door if all the attacker needs to get what they want is to look through the window. Why continue to invest in the additional technology if it is not actually adding significant additional protection? By the time any user presents a willingness to do anything at all to circumvent your standard software interface, you have lost; the user will succeed. Plugging in a $30 recorder and pushing the button is all it takes, and all the sweet cutting edge secure enclave crypto quantum DRM in the world cannot prevent it. How many of those 20k illegal streams you cite even bothered to break the precious DRM? My guess is zero.
I understand your points and I wish you all the best with your job. But please tell your bosses to let me buy single episodes of the series I like or every movie in history. No monthly subscriptions. I stay months without watching anything, then maybe two or three series at once, one episode per week each. The industry business model doesn't fit my habits.
>>So, you could enjoy it at zero cost, from the original provider in high quality, with no commitment. That night our anti-piracy team took down 20,000+ illegal streams, serving a large audience.
And....was it worth it? Do you think literally anyone from those 20k people actually signed up for your trial?
I think DRM works fine for the actual customers, the companies that are distributing video who need to convince the movie producers that they are taking it all very seriously, so they need to check some “our platform uses DRM” box. It all looks very odd from us downstream. But, still, most people don’t break DRM so it must be doing something.
For a long time the industry worked by shipping movies off the theaters, to be run in projection room secured by kids doing after-school jobs. I think they aren’t concerned with perfection.
Consider you've encoded and packaged your mezzanine into ABR (dash, HLS) and it's working on phones, browsers, smart TVs, STBs etc. Now you add common encryption: repackage and get double the number of tracks (CENC as well as CBCS). You buy your licenses from Apple (Fairplay), Google (Widevine), Microsoft (Playready) and Marlin (old crap). What used to "just work" now has all kinds of subtle interop problems.
Audio sync issues on iPad? Ah, Apple pushed a bad firmware update, thank you. Tomorrow it's users complaining about Widevine in Firefox. Only Netflix, maybe Disney+ — the biggest of the biggest can do streaming with DRM and make a profit.
I can get DRM, right now, for my videos, with 500,000 plays for $1665. That’s publicly available, commercial pricing. That’s a third of a cent per play. At Netflix scale, it’s probably cheaper.
DRM is a drop in the bucket compared to normal costs. A Netflix subscription is, what, $10? That’s enough to pay for 3,300 encrypted plays. The same provider, if I was doing over 10,000,000 plays, will drop it to just under one tenth of a cent per play, enough for over 10,000 encrypted plays. Compare that with how much the internet bandwidth, storage, and distribution costs - and the DRM is a rounding error.
You’re seriously telling me that not even one out of 10,000 plays is going to attempt a serious theft, to share it with random friends and family? Hah, it’s probably closer to 5 in 100.
Believe me - I’m not a guy who defines himself by living in a Hacker News bubble where everything needs to be perfect to be effective. I’d have DRM yesterday if I ran a streaming service, just like my copyright filings and the deadbolt on my front door.
Sharing with friend and family is not "serious theft". It is benevolent and what people do with books and DVD, without industry people becoming insane about.
“4K Bluray playback on PCs is effectively being phased out.”
Which will only perpetuate and speed up the problem. 4K blu ray discs suck on a lot of new tvs and players for frame rate and detail so the best visual experience is going to be on high dpi PCs (or Mac? Retina?)
If I can’t play a 4K blu ray I purchased on my pc… I’m going to probably download a ripped version and not feel guilty about it since I purchased the disc …
My M2 Pro can decode and play 4K without breaking a sweat and with amazing battery life on VLC player
To add more to this, not essentially 4K is the only thing behind L1, even HD streams can be with L1.
It's entirely the services' choice to use what they want, like they can even put SD stream behind L1 and leave 4K for L3 (this happens widely in lesser known services & L2 is hardly used). Also Amazon's 4K is different from Netflix's 4K considering the key revocation TAT. So everything changes from service to service.
It does seem like Netflix has been doing a decent cat-and-mouse game with Widevine for anything over 540p the last few months. There's been several shows that took several days to get properly copied (i.e. not just screen recorded).
> so everything is immediately available in at least 1080p.
Aren't the lower tiers only 720p? At least all the streaming services give Linux users only 720p. (There is a workaround for one particular service to still get 1080p - I'm paying for it so I better can watch it in 1080p! The moment this stops working I cancel my subscription.)
There's three Winevine tiers, L1, L2 and L3, which generally correspond to 4K, 1080p and 720p respectively though it depends on the service. L3 is what you get on Linux. L2 is supposed to be more secure than L3 but AFAICT it makes little difference to piracy groups, L1 is the only actual roadblock for them.
Because it doesn't meet the requirements for L2. I think L2 implementations are required to block software screen recording, for example, and there isn't really any practical way to enforce that on an open platform. Windows/Android/iOS have special support for compositing protected content so if you try to read the framebuffer back the content just shows up as a black rectangle.
DRM only really works if you're not root on your own machine, and with Linux you're always root on your own machine. Quite frankly I think DRM (the normalization of rootkits) is dangerous.
So it turns out chrome os ships with a shared library to support L2 (since it's entirely in software). There's a patch to get it working on other Linux distributions.
The lower levels of Widevine protection are weaker, so the content providers like Netflix only allow playback in standard definition or 720p at those levels.
They don't want the highest quality to be available on devices where the DRM can easily be broken.
Not immediately; sometimes when they revoke the keys it can take a few months for the likes of StreamFab and AnyStream to catch up even with 1080p. E.g. StreamFab is currently stuck on 480p for Netflix, and it has been like that since January.
I don't know the technical details but Winevine claims to have a system for watermarking content, which may allow them to trace the origin of ripped content back to the set of keys which decrypted it so they can be revoked.
There are no exploits for Widevine. The system operates by requiring a key, which is obtained from the unsecure hardware enclaves of some of the thousands of devices whitelisted by Widevine. When you access and share publicly 4K content, the keys for that specific device are blacklisted, necessitating the purchase of a new device to extract a new key.
If you approach it at the most fundamental level, it seems like a clearly impossible goal to achieve. You are having users playing back content on their private devices, and then want to try to prevent them from copying that. That's basically impossible to achieve on somebody's own machine, and literally impossible to do once two enter into the picture. In the absolute worst case a high resolution/hertz cam on one's own screen with a quick ML software polish job, would look near to completely indistinguishable from the original content.
I imagine the reason so much money has been spent on it is because studios prefer to blame piracy than content for increasingly poor sales. So they see it as their salvation and are willing to pay big bucks, even if it's impossible. That's a primo ground for hucksters and charlatans to make a killing. Something similar happened in poker where players wanting to use fully automated software to make their decisions ended up just stepping outside the cat&mouse game and using a setup with a second computer + cam - completely and absolutely impossible to detect.
You could require that all devices capable of video or audio display or capture embed models to detect copyright-protected content, and only proceed with playback or capture if they are connected to the internet and are able to verify some cryptographic liscense is valid. Put all this logic in some secure processor that self-destructs at the slightest sign of potential reverse-engineering or irregular behavior, along with physical anti-tampering measures that make phreaking or uncapping any components liable to trigger self-destruction. Then make the circumvention of any of these measures or attempts to create or import non-compliant display or capture video or audio content carry some heavy criminal penalty, such that any group well-resourced enough to attempt bypass would judge doing so foolish.
> In the absolute worst case a high resolution/hertz cam on one's own screen with a quick ML software polish job, would look near to completely indistinguishable from the original content.
I’m not even interested in piracy (no ethical dilemma I just can’t be bothered), but I think this would be an absolutely fantastic tech demo, and also very funny. Ultimately the video has to be displayed on a screen, so this must be the final defeat for DRM, right?
Every now and then I do event tech for some small tech conferences, lectures, etc.
A while ago we had an issue where, under some circumstances, macbooks would enforce HDCP for their output. Obviously an issue if you're trying to record and stream a talk. And we didn't have any hdcp removal devices on hand.
So I set up a Sony FX30 with fujinon broadcast optics on a tripod, aimed at the screen. Some white balancing and adjustments to brightness and ISO curve later and the image was undistinguishable from the original.
We actually used that setup for all talks on that day, and it worked perfectly fine.
Careful who you call the bad guys. A lot of "piracy" comes from the people who spend the most money on the content they pirate.
I personally think the best DRM approaches are those that keep "the honest people honest:" IE, metadata that identifies copyright owners, flags that identify content that has restrictions due to copyright, and casual protections. (Think of a "do not enter" sign that you can choose to ignore if you have reason to do so.)
Otherwise, DRM really only works when the people consuming the content have motivation to keep it secret. (IE, corporate and military secrets.)
Funny thing is that most streaming platforms only have DRM because content owners pressure them. It's expensive and a huge hassle to get right.
While indeed DRM barely contributes in fighting redistribution over Pirate Bay, it does prevent stream sharing. Ie.: the platform saves a lot of CDN bandwidth by forcing that onto torrents.
Simple example: My wife wants to consume certain Austrian/German content in Canada which are not available on any streaming service here. The streaming services there (Germany/Austria) do not support Canada. She was gifted DVDs of them, but that means she can't watch them on her phone or tablet (or laptop without a usb dvd drive that's region coded to Europe). Options are to:
- rip the DVDs (pain in the butt unless you have a specific setup for doing it en-masse. Some shows end up with episodes out of order, etc)
- download the shows
And this is when she's lucky enough the show/movie had a DVD release.
Similar problems exist for local content that doesn't exist on streaming sites altogether (bunch of things I grew up watching that I'd like to revisit).
Note that ripping DVDs is still piracy if said DVDs contain DRM[1], at least in the US. I don't know about CA, but I'd imagine it's similar, considering the state of copyright ...
[1] Region locking is a form of DRM, and most DVDs at least used to be region-locked. I don't know if that's still common practice nowadays.
I think he alludes to "lore" more than statistic. In the CD/DVD age anti-piracy measure like region locks, DRM, but also annoying banners you could not skip would often make consuming the media with a regular CD or DVD player so cumbersome, that you were almost forced into ripping the media onto a hard disk first and consuming the media with VLC or similar.
The inability to just consume media using official device to on rented or purchased disks encouraged ripping, sharing and downloading.
> That doesn’t strike me as a valid statistic. Where are you getting that data from?
I'm going to assume they are trying to say in other forms of support like word of mouth marketing, user created content, or purchases in other areas such as video game merchandise for instance?=
“Careful who you call the bad guys. A lot of "piracy" comes from the people who spend the most money on the content they pirate.”
This is laughably, obviously false. Don’t let the Reddit bubble of all 300 people who do this, or the 1.2% of Yuzu users who actually dumped their own keys, distort your understanding of reality.
> or the 1.2% of Yuzu users who actually dumped their own keys
As a Nintendo Switch owner, if my console died or I wanted to play Zelda at 4K I would probably not go through the hassle of dumping my own keys and rip the game myself if I can download them on the internet in a more convenient/quick way.
So there is probably a much larger fraction of users that own their games legally but still use emulators.
Also as said somewhere else, the fact some people play pirated games they would probably not even play if they were not available that way is orthogonal to the fact they may still be the highest spenders in games. Same applies to movies/music/shows. People usually have a non infinitely stretchable budget. A lot of piracy is opportunistic but would not transfer in sales if prevented. When I was a teenager/young adult I pirated a lot of stuff to try out. My gaming/movie/CD budget was fixed anyway and I still spent money on them but for the most part I would not have bought more if those things weren't accessibles illegally. Some were either out of reach for my budget (softwares like photoshop or Music DAWs), other were not deemed good enough to pay for them over better records/movies/games.
And it transfers to today: while I have a totally unlimited access to 8, 16-bit and 32-bit console roms, I almost only play to games I have owned and loved at the time.
The point of the DRM schemes is basically to keep video "hard enough to copy that normies don't do it". And not even "normies can't find it on the Pirate Bay" but "you can right click and download from Netflix."
If they mostly succeed at that, they consider it good enough.
Well, it sure seems to make a market for people who would/does pay for legitimate 4k video in their browser to pirate. I am happy to pay for streaming, but as the quality goes down so does any desire to shell out honest money.
DRM schemes never worked, and it has been speculated that the people building them always knew it, but had other goals.
Backn in the days it was: Of course you can break DVD copyprotection schemes. But you cannot build a legal opensource DVD player software. Today it's: Of course every Netflix series can be found on the pirate bay. But you're not legally allowed to build an alternative netflix player frontend.
Just as an aside and probably a dumb question - is Pirate Bay still a thing? I know they have archival stuff you can access, but I thought Pirate Bay died out a long time ago and even pier to pier networks have all but disappeared with streaming.
I feel like this is kind of a naïve question, but I haven't needed to use pier to pier stuff since streaming did become the standard and remember a lot of articles on Pirate Bay shutting down around 2014. Some of the 1070's movies I've found on YouTube that aren't on any streaming platform like the 1982 movie Dreams Don't Die about a graffiti artist played by Ike Eisenmann.
From the executive’s perspectives, DRM is working just fine.
People can’t just go get a random browser extension to save videos.
Alternative and unlicensed clients are illegal.
Sure, there’s some piracy - but even at the end of the day, pirates would watch a smartphone recording to save a buck.
To them, DRM does not have to be perfect to be a good investment; any more than copyright needing to be perfect or Speed Limit sign enforcement needing to be perfect.
Plus, every layer of complexity that gets broken, is another line for convincing the DOJ or the Jury about malicious intent.
Yes, yes, the Gabe Newell quote - even though that quote was only an explanation for why piracy happened. Commonly lost in translation, that quote never once said piracy was justified or acceptable, nor did he encourage piracy under any circumstances.
Denuvo mostly works. Allegedly they have a custom approach to each new game, so cracks can take months to appear, with some unpopular games never having been cracked at all. The price is lowered performance, of course.
> Allegedly they have a custom approach to each new game, so cracks can take months to appear, with some unpopular games never having been cracked at all
From what I hear, it's cracked in a matter of days or weeks. I haven't checked whether this is true or not, so I can't say you are wrong about some (most?) cracks taking months.
Looking at the previous two years of uncracked Denuvo and only selecting games that seem notable:
Dragon's Dogma 2 (2024)
Like a Dragon: Infinite Wealth (2024)
Suicide Squad: Kill the Justice League (2024)
Street Fighter 6 (2023)
Hi-Fi Rush (2023)
Dead Space (2023)
Star Wars Jedi: Survivor (2023)
Persona 5 Tactica (2023)
EA Sports FC 24 (2023)
NBA 2K24 (2023)
Assassin's Creed Mirage (2023)
Atomic Heart (2023)
Lost Judgment (2022)
Sonic Frontiers (2022)
Sonic Origins (2022)
Persona 4 Arena Ultimax (2022)
Persona 5 Royal (2022)
Sniper Elite 5 (2022)
Marvel's Midnight Suns (2022)
Total War: Warhammer III (2022)
Going back further there's more high profile games that were never cracked. The system seems to work as intended in some cases.
Many denuvo games are eventually released without denuvo and are then instantly pirated. Looks like the cost of denuvo is high enough for game publishers to stick to it just enough to reach profitability and then ditch it.
There is a closed beta copy of SF6, a leaked dev build of Atomic Heart, and an arcade dump of Persona 4 Arena Ultimax but these are unrelated to Denuvo.
> Allegedly they have a custom approach to each new game, so cracks can take months to appear
It's because it's tedious to crack it, it's not really a rocket science, they just generate new VM for the binary so you can't automate it, they inject A LOT of code paths which you need to manually follow and change. That's the only reason why games stay uncracked for months. It's a war of attrition.
> with some unpopular games never having been cracked at all
That's not exactly true actually, you need to pay for Denuvo license every year, that's why after some months or a few years it's removed from most of the games.
The point is pressure on equipment manufacturers, making borrowing and streaming work for digital content, maybe also deterring casual piracy, not necessarily protecting videos from appearing on tpb.
> I really don't see why so many millions (billions?) of dollars have
been spent on technologies which so far have never kept the bad guys
out.
Sunk cost investment bias [0].
Past a certain point, even when the outcome is obviously futile, it
becomes a mixture of accumulated momentum and pure bloody mindedness
to "build it if it kills us". Companies like Microsoft or Sony
have entire departments of people working on "rights management".
Nobody has the courage to just say, "Sorry guys, this is a fool's
errand, we're going to shut it down and move you all onto something
more productive".
No. It is fundamentally impossible. DRM centralizes piracy, it makes it profitable both socially and financially to pirate harder. As DRM tries to get harder it actually gives pirates more power.
These pirates release high quality content that is better than the service provides on most devices. Typically in HEVC as well, requiring less download size.
It's also great for those that don't have consistent Internet and want to download over time.
DRM and anti piracy are a snake oil industry for business suit types that think they're protecting their assets. They're not, but they don't understand the infinitely copiable nature of digital. They want control at any cost.
I don't believe the "Digital Video Express"[1] (aka DIVX[2]) discs were ever cracked while they were on the market. But that's only because they were only sold for 1 year and nobody bought any. Even now finding information about the disc format is rare. Although anyone who has a reason to try probably should be able to do it easily since it was just 3DES.
I posted elsewhere in the thread but it bears repeating, "The analog hole has gone fully digital." The generational loss from one recompression is effectively unnoticeable. What a ridiculous arms race!
Yeah web-dls might be hit or miss but webrips are such good quality that it's irrelevant for most folks anyways, since it's nearly the same quality you'd see on your TV.
I think you have terminology wrong here. by definition, WEB-DL is the exact encrypted video/audio content that is served, but unencrypted of course. You literally cannot get higher quality than a proper WEB-DL.
That's what I said, you might not be able to get a webdl depending on if the stream is cracked, but at least webrips (which are captured from capture cards) are good enough quality anyways.
The DRM clearly does work in preventing "casual piracy" - where average users do things like downloading a file and keeping it forever (even after cancelling a subscription) or copying the file to a friend.
Video streaming hasn't been "a file" in a long time. HLS et al download little snippets at a time, adjusting to current bandwidth circumstances, typically with video and audio separate, etc. Even without DRM, the average user couldn't "download a file" from Netflix.
Note that --format is only required (to get the best available version) because yt-dlp appears to rely only on metadata present in the supplied .m3u8 file to determine which stream is "best", and no such metadata appears for the audio streams in this example.
For details on what yt-dlp knows about each candidate stream when attempting to choose the best, see
This would presumably not be a problem for our hypothetical "Netflix DLP.app", which could rely on whatever convention Netflix uses to indicate stream quality to its own clients when choosing streams, rather than falling back to sensible defaults for arbitrary HLS input.
> PlayReady is a media file copy prevention technology from Microsoft that includes encryption, output prevention and digital rights management (DRM). It was announced in February 2007.
At some point this silly game of cat-and-mouse is going to escalate, and streaming players won't work unless your entire computer is locked down and "verified" by Microsoft or Apple.
At some point it escalates to where the media providers make watching their media so expensive, time consuming, and difficult that piracy ramps back up.
It sounds dumb, like "why would companies shoot themselves in the foot like this" but trust that they will. They always do. Corpobrain is a form of autopilot, there's no one with intelligence in charge not because the people who work at media companies are dumb (though, they are), but because there's just literally no one in charge. Its autopilot. Each iterative decision in isolation makes sense, but when zoomed out and interpreted holistically they're killing their own business.
That sounds an awful lot like an Xbox, and I personally don't think we're too far off from those becoming general purpose cloud connected DRM computers coupled with recurring monthly subscriptions for all your app/game/content needs.
It's like when that first Motorola came out with a locked bootloader, or maybe the second one, I think the first was trivially crackable. I remember that year, all of the people claiming it was just a matter of time. And nowadays, among other reasons, custom roms are largely dead because people want access to PayPal, Netflix and their banking app.
It's grim. I hope to win the lottery and leave the industry before the term "computer" has lost all meaning.
The only way to reduce piracy is to make access easier and cheaper - something the music industry figured out. Sure music still gets pirated but its a lot less.
Well, no, that isn't the only way to reduce piracy. Another way would be widespread collaboration between the largest tech corporations to lock down the pipeline from manufacturing to sale and onward
If users continue to accept this path, which... they seem to, that is where we'll inevitably end up.
That wont work. You can't tech your way out of this short of brain implants instead of screens. If there's a screen/speakers it's going to be pirated full stop. Games, okay that's a different story sure but they're already going down that path with online only games anyways.
No, that's where we are now. Not in the future, right now. It isn't working.
You fundamentally can't prevent someone copying your file. It isn't possible, full stop. You can only make it maximally inconvenient. You can't encrypt a user's eyeballs, so the media has to be transmitted in the clear at some level. Be it intercepting the LVDS signal to your TV panel or just pointing a camcorder at the screen.
The current tact is to just make it maximally inconvenient for anyone to access the file in any way. This does not consider the asymmetry in effort required. All legitimate users must deal with shitty DRM systems and broken apps, where it takes exactly one pirate to go through the effort of making a copy. Then everyone else who obtains a copy has to expend zero effort to consume the media.
Piracy is simply easier, which is why there's a resurgence now. The only sustainable option is to make legitimate consumption easier than piracy. For a lot of media, piracy is the only option to obtain a copy that will not vanish at some indeterminate point in the future. even if you paid for it.
Companies think that they can just make piracy harder, but that simply doesn't work. Once the first copy is made, the game is over. As established, there's simply no way to truly and permanently prevent a copy being created. That's simply the nature of digital media. At best, you can slow pirates down, you can never stop them. Piracy will never go away, and people need to accept that. People have been selling bootleg copies of goods since the dawn of time, there's no way to prevent it. There will always be someone nabbing copies of movies and sharing the files.
You can either waste everyone's time by trying to fight it, or you can realize that companies need to compete to survive, not just be large. If you compete with the pirates and produce a better product that people want more, well that's what capitalism is all about, isn't it?
Oh, don't get me wrong, I have zero faith in capitalism. After all, that's the entire reason we're in this situation.
However, market forces are actually very real. They just don't work the way capitalists think they do. Or rather, capitalists are convinced they can control the market through technology. Unfortunately for them, this is a technology that can't be solved or controlled.
It's not as though there's no effort to close this loophole (see HDCP and probably others) - I don't expect them to give up any time soon
Granted, pointing a camera at a screen and recording will always be possible - but I say if we ever reach the point where that is the only option, we've lost.
It is not a given that this will always be possible. I could imagine some kind of steganographic watermark in videos - diffused over the entire signal so that it cannot be easily cropped out - combined with a check for the same in all recording equipment that blocks the recording or blacks out the area if detected. Could be done "voluntarily" by all large manufacturers for starters, then eventually mandated by law for all equipment sold or imported into the country.
And there's already precedent for this kind of thing: the way copiers block money bills as source.
i suspect one factor is that music is a lot cheaper to produce than movies, so selling music at an "accessible" price is a lot more viable as a solution. plus, there's a larger market for music since music is largely consumed in isolation. people tend to listen to music themselves so they would either buy a copy for themselves, or stream for themselves, so there's the benefit of volume as well. on the other hand, movies are more likely to be consumed in groups - a group of people watching one movie will only pay once.
for the tv/movie industry, the best solution we have right now is basically streaming services like netflix. the issue is that its probably still not economically feasible for companies like netflix to pay for the streaming rights of new movies for their subscribers, especially those big budget movies. so for those, either you'd have to wait until the price is more palatable for netflix, or you'd have to just pirate it.
So this is pretty much about breaking the client side DRM, with a bad side effect of abusing someone else's Identity (as used within the DRM context) for nefarious purposes. Did I understand this correctly?
The "client" whose "identity" is abused here is not an end user. A "client" in this context is a program or library that talks to the license servers and receives the content decryption keys. On my Windows machine I see a "Windows.Media.Protection.PlayReady.dll", which I guess is the client that they cracked. Maybe there are also other clients that are widely accepted by license servers.
The attack essentially means that they could write a program themselves that acts as "Windows.Media.Protection.PlayReady.dll" to get decryption keys from a server. What will happen now is that Microsoft will deprecate the client and release a new one with new obfuscation and new keys. The license servers will start rejecting the old cracked client. And then people will crack the new client. And the cycle continues.
> The "client" whose "identity" is abused here is not an end user. A
"client" in this context is a program or library that talks to the
license servers and receives
Thanks for the clarification.
Otherwise people would be worried about being targeted and having
"personal" keys tied to a financial account or online identity getting
sold and used by others to access arbitary content.
This seems kinda good news for concerned users, but even worse news
for Microsoft.
Does PlayReady now require a secure enclave/TPM on your PC? Otherwise as you say, the only thing protecting the keys is obfuscation. This has been the same way all the way back to the first Microsoft DRMv1 in 1998 (?).
The decryption keys have to be stored on your device so you can play your media or your game. So, the level of encryption is totally moot. The level of obfuscation is all that really protects the content.
With PlayReady, as with any other DRM scheme really, there are different tiers. There is SL2000, which is done completely in software (whitebox crypto), and there is SL3000, which does require a TEE. Which tier is requried for which type of content is driven by streaming provider or studio requirements. I think it is pretty common to allow content up to 1080p to be used with whitebox crypto, whereas 4k+ content will require hardware DRM.
Basically the means to forge an authenticated cookie.
[Update]
It's a bit more subtle: Having the keys to forge a license request and decrypt server response allows you to emmulate or re-implement a DRM client.
Because the server is oblivious to this fake, it will respond as though it's taking to a genuine "secure" client thereby ultimately exposing the content decryption key.
> In that context, this is vendor’s responsibility to constantly increase the bar and with the use of all available technological means.
Or the vendor could just let me consume the content I paid for in whatever player I like. Which is what happens anyway, as this sort of DRM is always breakable. If the media consumer can view the content at all, they can simply record that output and re-encode in a more convenient storage format.
Yes, there is always the analogue loophole. And opening cryptography toolbox to control how users consume content is a lost cause. Crypto can only protect contents from adversaries that don't have the key. But here the paying user is the adversary and the only way the DRM can paint the video on screen is through that key.
So DRM boils down to security through obscurity. Turns out obscurity is hard, expensive and never works very well.
Given how horribly all major companies, MS most certainly included, confuse authentication vs. authorization, this is almost certainly able to be paired with a 'vulnerable' (all) endpoint to retrieve/post/update player information.
The horizontal pivot from DRM/crypto-managed Identity to a session token, an unassumingly-kosher redirect, or just omitting the "AUTHENTICATION" header itself is a trivial exercise for the common script kiddie.
This is how exploit chains get a foot-hold, and "secure" accounts get compromised like it was 2010 again.
And it paints an even bigger target on domestic Windows machines used
for media content.
Who wants to "steal" their _own_ keys?
Microsoft's broken DRM scheme creates objects of value which it then
tries to store on the client's machine deliberately beyond the owners
control and security management. It is adversarial to the user. This
is clearly a no-win situation... hence the snarky sign-off about
vendors "raising the bar", basically saying; Good luck with that! It
really seems quite unhinged.
So now there is collateral damage:
- A motive to hack Windows machines to steal content keys.
- A misuse of "identities" through a market in stolen keys
- Pivots (as parent says) to other malware vectors
So, predictably, because of DRM, Microsoft Windows is now an even more
dangerous and insecure system. Why do people persist chasing this
unnecessary, pathologically involuted technological misadventure?
Surely "controlling and monitoring peoples content" is not a hill
worth dying on?
I really don't see why so many millions (billions?) of dollars have been spent on technologies which so far have never kept the bad guys out.
reply