4K streaming content is hit or miss because most services lock that behind Widevine L1, which requires implementors to use a secure enclave and the entire signal path to use strong encryption. If an L1 implementation gets compromised it quickly has its keys revoked and is downgraded to L2/L3, so piracy groups have a limited time window to dump as much 4K content as possible. Those lower Winevines tiers are permanently broken though so everything is immediately available in at least 1080p.
4K Blurays are currently always ripped due to an unfixable compromise in Intel SGX allowing PowerDVDs keys to be extracted, they could close that hole by revoking PowerDVDs keys for new Bluray releases but they haven't done that yet. I imagine they will at some point because PowerDVD requires SGX to play UHDs, and Intel stopped supporting that on newer consumer hardware, so 4K Bluray playback on PCs is effectively being phased out.
But the display panel itself still receives an unencrypted LVDS signal, which should not be too hard to decode. There are (were?) also cheap HDMI splitters that conveniently strip HDCP.
Your only issue is that yes, you can't get at the original compressed video stream and have to reencode, possibly losing a tiny bit of quality.
That is true, but ripping content in that way is a much bigger burden on piracy groups since it has to be done in realtime, can't be done in parallel without multiple expensive hardware rigs, and metadata like subtitles can't be extracted automatically. Rips of streaming shows often have a dozen or so subtitle tracks and nobody is going to transcribe and re-time all that by hand if they can't decrypt the stream directly.
Actually now I think of it that doesn't matter since you could just pull the subtitles from the weakly protected 720p version then apply them to the higher resolution versions. Ripping the 4K video through LVDS or HDMI capture would still be annoying though.
I don't know the burden is as big as you imagine. I used to run a torrent site that was 99% recorded shows through capture and we still had every single broadcast show uploaded within minutes -- and no uploaders were getting paid, they were just bored and doing it for the Internet points.
edit: also to add, we would get employees at the studios send us discs with the new shows before release, but I had agreements with at least one studio to not allow uploads until after broadcast if we received any of their media
Another complication for LVDS capture is that HDR content is always tonemapped/filtered (OLED ABL etc) before it is sent to the panel, and that processed version is what you would get with LVDS capture. It might be usable, but it would be a downgrade from other capture or decryption methods which grab the unprocessed HDR video.
With a $20 HDMI grabber you get 4K HDR video with full Dolby Vision or HDR10 metadata, without any tonemapping applied, én masse.
Combine that with some software mods to hide the UI at all times and you've got a perfect recording.
Re-encoding is the slowest and most annoying part of this process, but release groups re-encode everything anyway, so that's not an issue either.
DRM only hurts the legitimate customers, no one else.
I'm subscribed to the highest tiers of Netflix, Disney+, Prime Video, Paramount+, YouTube Premium, CuriosityStream, Nebula and Zattoo.
Yet often enough, I have to rip media from bluray because the streaming version only has audio or subtitles available in the local language or the quality is subpar.
>> I have to rip media from bluray because the streaming version only has audio or subtitles available in the local language
This. It's a huge problem for us expatriates living outside of their native countries - I want my son to be bilangual and as part of that I try to at least play cartoons in my native tongue - but Disney/Netflix/Prime usually only have the local language option, even though as soon as we are physically in my home country magically the same shows have dubs in local language. So all of these corporations have these options available, but decide not to show them for whatever reason. So more often than not I have to ask family to send us actual DVDs/Blurays of kids shows so we can watch them in the language we want to watch them in.
And no, VPN doesn't always help - it's flaky, it's frustrating in its stability, one day it works the next day it doesn't, it's not the thing I want to mess with nearly every other day just to play some cartoons.
Not mentioned above, but should be noted that all of this DRM is still only protecting the compressed and encoded video content. Schemes to protect the uncompressed digital video data are all permanently and universally broken or bypassed. The 'analog hole' has gone fully digital. One would think that alone would be enough to seal the deal on the pointlessness of DRM, but unfortunately there are a lot of gullible execs out there that want to keep pouring money on the fire.
As long as it stops even 100,000 people from not downloading videos off of Netflix, from an executive’s perspective, it pays for itself.
To them, it’s like saying Speed Limit signs are useless, because cars can go faster than the number posted by literally pressing a button. That’s not the point.
Yes if a particular group gets to externalise / socialise the costs of maintaining a protection then obviously from the perspective of the protected group then it's worth it.
The question is, is it good for society overall. Who or what is being protected and what impact does that have on everyone else?
Speed limit / stop signs represent a decent point of discussion I think.
And if yes, what does it mean considering that each year we lose millions of people on the roads. (To fatalities and horrific injuries resulting in permanent disabilities.) Yet the majority doesn't care?
There is no "particular group" or "everyone else". Everyone has rights over their own creative work, even if that's mildly inconvenient to others. It's part of the social contract of modern society.
Finish the thought. How do they profit from someone else's creative work? Is it a) by just taking it because they can? or b) by mutual agreement with the original creator?
By being in a dominant economic position whereby they can force predatory terms onto content creators who cannot avoid them if they want any chance of getting anything at all, or reaching a significant audience.
You're trying to use emotional language to avoid actually thinking about the question. The correct answer is b, and the alternative is just plain banditry.
You don't have an automatic right to compensation or audience for your work. Your right is that others can't take your work without your permission--i.e. that they don't own your text just because they can read it. If you have no rights over your text, then only the man with the printing press wins. When you do have those rights, you can trade them for compensation, audience, etc. and that's your choice, not theirs.
Does this mean that agreements are made between entities in unequal economic positions? Yes. But so does employment, so does freelancing, so does nearly every business ever.
Being personally dissatisfied with the current economics of publishing does not change the social contract that underlies it.
> But so does employment, so does freelancing, so does nearly every business ever.
Sure, capitalism is fucked up all the way through.
If and when you get it to the point where people can negotiate from position of equal power (also in all those other areas, yes), then I could take your ethical point seriously.
As it is, the companies that get harmed by piracy of the kind that DRM prevents are parasites on society, and the notion that the deal that they force on the rest of us though their position of economic dominance is some kind of "social contract" is laughable. Which is exactly why piracy is so prevalent - if it really were a social contract, people wouldn't do it in droves.
If you take the capitalistic lust of the corporate executive to its logical extreme, given the massive costs of the DRM tech you'd think that at least one of them would realize that they could make more money if they didn't have to pay for something that doesn't work. The economics of distributing the copies are such that it doesn't actually matter if it's easy or hard for 1 or 100,000 people to break the protection.
I work for a large streaming service and a significant part of my work is content protection.
Honestly, tech folks misunderstanding of DRM and content protection is significant. There's some assumption that people are inherently honest and that we're just money grabbing. In the years that I've been doing this I've seen a lot of things and nothing has convinced me that if we turned off DRM we'd:
1) save money
2) not have issues with piracy proliferation
The cost of DRM license issuing for our company is relatively insignificant, a year's worth of DRM for millions of users is less than the cost of a single show we might make. We pay cents per thousands of plays.
I recall we launched in a new market, we did a show which would have been an expensive PPV previously, but it was included in our standard subscription. We also offered a first month free trial, which you could cancel. So, you could enjoy it at zero cost, from the original provider in high quality, with no commitment. That night our anti-piracy team took down 20,000+ illegal streams, serving a large audience.
I also acutely know that DRM isn't as secure as we'd like, I know that all security measures are ultimately not anywhere near perfect. But you know what? I also lock my front door, even though I know how to pick locks. I put my car keys in a RFID box, despite knowing there are probably CAN attacks against my car. I still need to protect my assets, because enough people don't want to pay for something if they can get it for free.
We had some research into the attitudes of pirates that basically distils down to:
1) 1/3rd would pay if they couldn't get the content any other way
2) 1/3rd don't care enough and are casual pirates, watching because they can.
3) 1/3rd are "pay never", militant, yet still happy to take my work without concern for the sustainability of that.
Ultimately, if you like content then you should pay for it, but it's always a waste of time arguing about this on the internet because so many people are in the third category, think I'm an asshole for doing my job and apparently they know my job better than I do.
That's all beside the point. Hardware belongs to the user and should be under the user's control. Treacherous computing should be highly taboo and illegal.
The "sustainability" of Disney's profits are not important. To suggest otherwise on a site literally named Hacker News is comical.
Hacker ethos is about freedom to control what you own and put it to the purposes that you, its owner, want. DRM takes away that freedom, so it is obviously incompatible.
If that freedom makes e.g. Disney business model unsustainable, then that business model is itself incompatible with the ethos.
The argument from the other side is at least as frustrating.
> ...nothing has convinced me that if we turned off DRM we'd: 1) save money 2) not have issues with piracy proliferation
> That night our anti-piracy team took down 20,000+ illegal streams
You already have enormous issues with piracy proliferation. The money you spend on DRM may be "relatively insignificant", but it's still money being wasted on "protection" that has already proven to be utterly ineffective.
I am in neither of your three groups. I want to pay for content. I pay for a lot of music, for example. But you're not going to bully me into paying for your shit by making it as user hostile as possible. As a paying customer I expect at least the level of service that piracy groups have no trouble providing, but instead I'm treated like an enemy every step of the way.
In practice this means I avoid TV shows and movies, but when I do want to watch one I have absolutely zero moral qualms pirating a product that is not for sale. I'll even go out of my way to look for a DRM-free copy I can pay for first. This takes more time than pirating it once I inevitably find out that's not available.
The fact that it does not always work, is in no way a proof of ineffectiveness.
Otherwise, the tax system, speed limit signs, front door locks, and glass windows are also “completely ineffective.”
He is literally telling you, from his own experience in his company, it’s effective. Don’t cite a sloppily-produced research paper from somewhere to make him deny reality.
I'm not, I'm citing their own comment in which they describe taking down 20,000+ illegal streams of their already DRM-"protected" content on launch day. He's describing it not being effective at all.
Glass windows, speed limit signs, the tax system (what?) provide value to the people affected by them. DRM is a pure negative for customers.
You’re assuming it would not have been 100,000 without the DRM. You cannot prove, or cite any research, showing it would not have been much worse. In which case, it could indeed be quite effective.
The entire argument you all are having is predicated on the assumption that the presence or absence of the DRM and/or the user's ability to defeat it in some way affects a user's ability to present a stream of the content.
I am telling you flatly that the users who are producing the streams have absolutely no concern or effect from the DRM. Most probably are completely unaware of it. It's quite literally as simple as plugging your phone into your computer with a $15 cable and pressing the Cast button on a webpage.
We as nerds are privileged to recognize that the $15 HDMI capture card in the above scenario is playing fast and loose with HDCP; maybe we understand systems like ContentID that don't rely on any of this; maybe we recognize that there could be stenographic data in the output that can identify us.
Anyway my objective is to emphasize that the lack of data isn't sufficient to imply a false hypothesis. Please don't exaggerate your point in an attempt to 'balance' an argument that doesn't seem likely to support a conclusion that content piracy would be much worse without DRM.
Indeed I can't, just like you cannot prove, or cite any research, showing it wouldn't have been 1,000 if the content was accessible without arbitrary artificial restrictions on the devices consuming it.
By all means keep taking down illegal streams. I'm not excusing the people providing them. I'm saying maybe stop treating every paying customer as if they're going to do that to the detriment of the service provided. Because it is negatively affecting the service.
What I will say in response to that is that I empathise with people who have no physical ability to access content. If the rightsholder doesn't have it available in a territory and/or no distributor is willing to carry it? Who am I to say it's wrong for it to be available elsewhere.
The contrast to that is that you're not obligated to watch everything out there and just because you can't watch something isn't an offense to humanity. It's leisure, not the top of the pyramid of the hierarchy of needs.
The real problem for us is with freeloaders, people who will steal to avoid paying for the work we put in. It's not some nebulous Scrooge McDuck money pit, streaming is really hard and costs a lot of money to do right. I get to see our cloud computing bill, it is eye watering. Then you have to employ people to build and maintain 30 different apps for every smart TV, smart phone, games console, set-top box, browser, tablet, etc. Then you need people to build and maintain hundreds of backend services to provide catalogues, account management, billing and metadata. Then you need people to run the media processing, encoding and distribution. Then you need an operational support team to ensure 99.999% availability because people are passionate about what they watch. You need a rights team to get the deals, you need a legal team to arrange contracts, you need a finance team to pay everyone, you need infrastructure and IT support for all that.
Oh, and to top that all off, I have to spend significant amounts of my time dealing with patent trolls who want a slice of the action.
One thing I am looking at is a way of removing DRM, by adding invisible watermarking which would attribute every leak to an individual. But when what happens? I turn off DRM and someone releases it online. I know who did it, but am I going to get my pound of flesh? Unlikely.
One of the main reasons I have DRM is because it's contractually required. It does certainly provide a mechanism to prevent casual piracy, it provides me a control point, somewhere I can restrict playback and attribute it to a certain situation. Most people have to jump through hoops to get around the restrictions provided by DRM and that's a good thing because it does reduce proliferation. I'd actually support an alternative to DRM, some kind of trust anchor where I can trust that code run in a browser is not tampered with so I could just use things like mTLS and tokens, but there's plenty of people out there who would block such a thing and instead we have to go with commercial solutions that sit outside the standards.
I don't have any desire to treat anyone but pirates like the enemy, and it's certainly not our intention, our intention is to make everything as friction free as possible within our contractual responsibilities. But when people just want to burn the whole thing down around you and have a wild west, it's not reasonable. If you want to argue, then show me how it can be done, show me how I can protect our assets without DRM? The group I am within the business used to be called the "Revenue Protection Unit", because ultimately it was about protecting ourselves. Not to make us rich, but to make the business sustainable and unless you've seen how hard it is to make a streaming business sustainable, it's really hard to appreciate it.
I used to be the chief DRM guy at another large streaming service.
I can say 100% that the company did not want DRM as it was unreliable and customer-unfriendly, but it was the rights-holders that were badly educated and informed and would demand it in their contracts. I would suspect that is the case at a lot of other streamers too?
(the cost of the DRM was near-zero at our company)
Absolutely, I have to review contracts on almost a weekly basis, all of which say what I have to do and it's usually waaaaay worse than anyone here would want.
I spend way too much time pushing back on over zealous requirements.
I'm gonna be extremely blunt given that I have you in my audience, large streaming media worker bee: It's not surprising in the slightest that you have a bias towards the effectiveness of DRM when your livelihood depends on it. The fact that the unit-cost is "relatively insignificant" is simply a continuation of the straw man argument that props up the entire notion that DRM is somehow cost effective. I don't personally think you are a jerk or anything for working your job, but I can say that I would not personally find it fulfilling to spend my own career on something with such diminishing returns. I guess all of those insignificant expenses add up to some good money in the end, at least in someone's opinion. The incentive to continue burying the failed promises of DRM and keep it propped up as long as possible is evident though; the story really hasn't changed in the 30 years or so that I've been following it.
The lack of a "save video" button in the player app is the most effective means to prevent the average person from distributing the content. By your "lock on the door" analogy, a UI that does not allow the thing you don't want your users doing is providing more or less equivalent protection to the DRM. It doesn't matter how many locks you put on your door if all the attacker needs to get what they want is to look through the window. Why continue to invest in the additional technology if it is not actually adding significant additional protection? By the time any user presents a willingness to do anything at all to circumvent your standard software interface, you have lost; the user will succeed. Plugging in a $30 recorder and pushing the button is all it takes, and all the sweet cutting edge secure enclave crypto quantum DRM in the world cannot prevent it. How many of those 20k illegal streams you cite even bothered to break the precious DRM? My guess is zero.
I understand your points and I wish you all the best with your job. But please tell your bosses to let me buy single episodes of the series I like or every movie in history. No monthly subscriptions. I stay months without watching anything, then maybe two or three series at once, one episode per week each. The industry business model doesn't fit my habits.
>>So, you could enjoy it at zero cost, from the original provider in high quality, with no commitment. That night our anti-piracy team took down 20,000+ illegal streams, serving a large audience.
And....was it worth it? Do you think literally anyone from those 20k people actually signed up for your trial?
I think DRM works fine for the actual customers, the companies that are distributing video who need to convince the movie producers that they are taking it all very seriously, so they need to check some “our platform uses DRM” box. It all looks very odd from us downstream. But, still, most people don’t break DRM so it must be doing something.
For a long time the industry worked by shipping movies off the theaters, to be run in projection room secured by kids doing after-school jobs. I think they aren’t concerned with perfection.
Consider you've encoded and packaged your mezzanine into ABR (dash, HLS) and it's working on phones, browsers, smart TVs, STBs etc. Now you add common encryption: repackage and get double the number of tracks (CENC as well as CBCS). You buy your licenses from Apple (Fairplay), Google (Widevine), Microsoft (Playready) and Marlin (old crap). What used to "just work" now has all kinds of subtle interop problems.
Audio sync issues on iPad? Ah, Apple pushed a bad firmware update, thank you. Tomorrow it's users complaining about Widevine in Firefox. Only Netflix, maybe Disney+ — the biggest of the biggest can do streaming with DRM and make a profit.
I can get DRM, right now, for my videos, with 500,000 plays for $1665. That’s publicly available, commercial pricing. That’s a third of a cent per play. At Netflix scale, it’s probably cheaper.
DRM is a drop in the bucket compared to normal costs. A Netflix subscription is, what, $10? That’s enough to pay for 3,300 encrypted plays. The same provider, if I was doing over 10,000,000 plays, will drop it to just under one tenth of a cent per play, enough for over 10,000 encrypted plays. Compare that with how much the internet bandwidth, storage, and distribution costs - and the DRM is a rounding error.
You’re seriously telling me that not even one out of 10,000 plays is going to attempt a serious theft, to share it with random friends and family? Hah, it’s probably closer to 5 in 100.
Believe me - I’m not a guy who defines himself by living in a Hacker News bubble where everything needs to be perfect to be effective. I’d have DRM yesterday if I ran a streaming service, just like my copyright filings and the deadbolt on my front door.
Sharing with friend and family is not "serious theft". It is benevolent and what people do with books and DVD, without industry people becoming insane about.
“4K Bluray playback on PCs is effectively being phased out.”
Which will only perpetuate and speed up the problem. 4K blu ray discs suck on a lot of new tvs and players for frame rate and detail so the best visual experience is going to be on high dpi PCs (or Mac? Retina?)
If I can’t play a 4K blu ray I purchased on my pc… I’m going to probably download a ripped version and not feel guilty about it since I purchased the disc …
My M2 Pro can decode and play 4K without breaking a sweat and with amazing battery life on VLC player
To add more to this, not essentially 4K is the only thing behind L1, even HD streams can be with L1.
It's entirely the services' choice to use what they want, like they can even put SD stream behind L1 and leave 4K for L3 (this happens widely in lesser known services & L2 is hardly used). Also Amazon's 4K is different from Netflix's 4K considering the key revocation TAT. So everything changes from service to service.
It does seem like Netflix has been doing a decent cat-and-mouse game with Widevine for anything over 540p the last few months. There's been several shows that took several days to get properly copied (i.e. not just screen recorded).
> so everything is immediately available in at least 1080p.
Aren't the lower tiers only 720p? At least all the streaming services give Linux users only 720p. (There is a workaround for one particular service to still get 1080p - I'm paying for it so I better can watch it in 1080p! The moment this stops working I cancel my subscription.)
There's three Winevine tiers, L1, L2 and L3, which generally correspond to 4K, 1080p and 720p respectively though it depends on the service. L3 is what you get on Linux. L2 is supposed to be more secure than L3 but AFAICT it makes little difference to piracy groups, L1 is the only actual roadblock for them.
Because it doesn't meet the requirements for L2. I think L2 implementations are required to block software screen recording, for example, and there isn't really any practical way to enforce that on an open platform. Windows/Android/iOS have special support for compositing protected content so if you try to read the framebuffer back the content just shows up as a black rectangle.
DRM only really works if you're not root on your own machine, and with Linux you're always root on your own machine. Quite frankly I think DRM (the normalization of rootkits) is dangerous.
So it turns out chrome os ships with a shared library to support L2 (since it's entirely in software). There's a patch to get it working on other Linux distributions.
The lower levels of Widevine protection are weaker, so the content providers like Netflix only allow playback in standard definition or 720p at those levels.
They don't want the highest quality to be available on devices where the DRM can easily be broken.
Not immediately; sometimes when they revoke the keys it can take a few months for the likes of StreamFab and AnyStream to catch up even with 1080p. E.g. StreamFab is currently stuck on 480p for Netflix, and it has been like that since January.
I don't know the technical details but Winevine claims to have a system for watermarking content, which may allow them to trace the origin of ripped content back to the set of keys which decrypted it so they can be revoked.
There are no exploits for Widevine. The system operates by requiring a key, which is obtained from the unsecure hardware enclaves of some of the thousands of devices whitelisted by Widevine. When you access and share publicly 4K content, the keys for that specific device are blacklisted, necessitating the purchase of a new device to extract a new key.
4K Blurays are currently always ripped due to an unfixable compromise in Intel SGX allowing PowerDVDs keys to be extracted, they could close that hole by revoking PowerDVDs keys for new Bluray releases but they haven't done that yet. I imagine they will at some point because PowerDVD requires SGX to play UHDs, and Intel stopped supporting that on newer consumer hardware, so 4K Bluray playback on PCs is effectively being phased out.