The BBC has swooped to close a loophole in its recently-launched iPhone streaming service that allowed Linux, Windows and Mac users to grab a high quality DRM-free download. We reported the hack yesterday morning, but today an email from Auntie assures us the party's over: "We've released a fix to prevent unrestricted …
The BBC has specifically mentioned which utility to use to strip DRM from their downloads anyway:
remember the H2G2 Tertiary phase series?
They put all the episodes up on day one, and they could be downloaded simply by making your own page of links and incrementing one number per link.
Ah yes, great security.
For me this removed the worry of missing an episode, since I was due to be away for one week of the show. Didn't stop me buying the CD version the day it came out though.
That explains it
I suspected they'd just pulled iPlayer on the iPhone when I tried to demo it to friends in the office.
ps. Amazing choice to put the MotoGP on iPlayer. I'm impressed. Now, what about 125s, 250s, SBK and BSB?
Surely it's fundamentally fscked?
"The BBC played the beta card yesterday, telling it was aware of the hack, that it was "nothing unusual", and it was already working to block it. The contracts with third party production companies that allow the national broadcaster to offer downloads insist that DRM that locks the files down after 30 days is part of the package."
Doesn't the H264 stream service already break these contracts in any case - how do they expect to control what happens? A stream is just a download which isn't stored. Let alone a stream in a standard format which only needs to be saved and can then be easily played back without needing to re-encode or modify the container format.
People are only interested in hacking around because this is the kind of service they want, not that horrible kontiki rubbish. The flash streams look terrible plus adobe has awful support for anything other than macOS or windows.
If they need to have DRM (I'm a realist - these things may be necessary temporarily) then they should be helping to define an open system which would allow desktop and mobile (and set-top) clients to be written.
This proprietary crap is never going to support everything - people only work on it if they get paid, they only get paid if there's a demand, there's only enough demand to justify development if the device is vastly popular. Unfortunately, lots of software seems to cost more to develop than it's notionally worth by orders of magnitude. See how much freeware/open source there is around which could never generate enough income for the primary developers to support themselves doing only that. Even open source has to fall back on support contracts and integration work to make the ends meet.
If the BBC want to see their content available to the public (as they are supposed to) then they should be working on an open spec for 3rd party apps to interface with - Google understands this, hence the recent release of the YouTube APIs.
The DRM was working fine
Why fix what wasn't broken? They had DRM, it was restricted to UK only IP addresses, that was the only DRM needed and it worked fine. It's the *extra* *crappy* *Microsoft* DRM that causes all the problems. It has never worked anyway, and just makes it difficult to play on all sorts of non Microsoft devices. Largely because Microsoft refuses to disclose how it works doing it's usual attempt at platform lockin.
Sure UK Linux users could play the files, but then UK Linux users also pay the TV license. So what's the problem with that?
Look at it this way, they delivered it in a standard format, Linux users put together a player within a few days. So set top boxes, and UK Tivos and games consoles and networked video players would all be able to play that content, and just like the Linux guys could add support very very quickly.
This is exactly what the BBC wants!
The IP address restriction is all the DRM they need. It restricts the digital rights to the UK IP addresses without restricting it to Microsoft computers only, which is exactly what is required.
Ditch the *Microsoft* DRM, keep the IP address verification DRM.
What happened? Did all 400 Linux users start using the hack at the same time?
Change the contracts
It's clearly time for the BBC to rewrite its contracts. Where it pays for the full cost of production, then it should insist on retaining the right to make the content available free of charge to license-payers in perpetuity. Obviously, the situation is more complex where it is only buying one-off broadcast rights that do not cover the full production costs.
Re: Why Bother
Why bother indeed.
If I had time (I don't, but someone else might) I'd write an application which simply records all the outputs to a monitor/speakers.
Easy to do, and lots of legal uses, so it's not specifically anti-DRM technology (the banning of which was a spectacularly stupid idea anyway - but Governments simply don't understand IT, so I wasn't too surprised).
DRM is dead.
Re: Why bother?
For the same reason people still lock their front doors even though it's possible for anyone who's determined enough to smash it open or pick the lock.
If they don't want to explain how they've fixed it, then it likely means they haven't fixed it in any meaningful way. Expect this story to come around again in a week or so.
Let's face it, if the DRM-free content is available at all to iPhone disciples, then it should be fairly easy for the l33t crowd to figure it out. Probably only needs a packet sniffer and a small amount of clue.
- Its not like they have revenue generating advert contracts to protect ..
- Have they ever heard of Digital TV recorders
- Why wouldnt they want people to save and watch their shows more than once
- WHY is every single insititution on this planet fighting against new technologies rather than embracing them ?
- have they not heard of tv-links.cc ?
It really does confuse me why they bother. Not that I use iPlayer anyway, becuse there are some very nifty torrent sites exclusively for UK TV content - far superior, no DRM and I've payed my license fee (AND my Sky bill), so I'll watch what I like from where I like.
FairUse4WM seems to be Windows-only (I've searched around, but can't find anything except pre-compiled binaries for Windows -- no sources anywhere), and iPlayer doesn't like non-Windows clients. So Linux, Solaris, BSD and Mac users are *still* out of luck.
We are reliably informed that it's still possible and easy to grab an MP4 download with a little extra ingenuity. We're not going to say how exactly here though. It's tip top secret.
The main difference between the current set of scripts and the ones that allowed me to wget stuff last week is that a random number (from Math.random *1000000) is appended to the URL.
What about the other
Anybody got any comment on the ip-restriction workaround that's currently operated by at least one 'company' in the UK?
Auntie currently restricts streaming to the UK by (I think) ip address blocking. However, one guy/gal/company provides a vpn to a UK ip address specifically so non-doms can stream Auntie's draws to locations outside the UK.
Isn't this a bigger revenue loss for Auntie than the hack in the story? (Particularly given the amount this 'company' charges to use their tunnel.)
Probably really simple
My guess would be that they've just restricted the IP range that can access the iPlayer streams to the blocks that O2 in the UK use.
Obviously, this would stop an iPhone connected with wi-fi from receiving the video so should be pretty easy to test if any El Reg readers own an iPhone of course!
AC as even talk of this sort of thing is probably illegal now!
Looking at the code http://www.bbc.co.uk/iplayer/page/script/1.7/iplayer_info.js
This seems to do the security (A new version was uploaded this morning according to the modified headers)
http requests are pretty simple things and send very limited information. If its securing on something sent over a http get request it will only take someone with an iphone and a bit of knowledge to look at what is being sent and replicating it.
By the evenings out it will be bust wide open agian?
Does it work with wine?
Why they bother?
I hate that they bother (I downloaded things using the loophole myself), but the reason they bother is obvious - they legally have to. The contracts they have say that they will ensure that any content released online is secure, and only available for 7 days of streaming, 30 days for download. If they don't keep to those conditions, they'll liable to get sued.
That said, I'd be surprised if we don't see a hack out within a few days. It's only a matter of packet sniffing what the iPhone does and repeating it from a PC. Perhaps quicktime sends a special header to the server from the iPhone...
Wine. Just the Mac users out of luck then. Oh, hang on, Parallels or BootCamp should sort that one......
What's the use - There is a far better program about
I agree there is also a better utility to do this although paid for it's really good quality http://www.tunebite.com
Two layers of DRM:
Layer 1 - IP DRM, restricts delivery to only UK IP addresses
Layer 2 - Microsoft DRM, restruct delivery to Microsoft devices
Tell me, what is the purpose of the second layer?
Layer 1, fine, BBC is only allowed to deliver content to UK for some programs (although their excellent Radio 4 iPlayer works well everywhere).
Layer 2, since when was there a remit to restrict it to Microsoft? BBCs entire problem stems from this layer, they can get their necessary Digital Rights Management by limiting it to UK IP addresses. So what gives with the Microsoft nonsense?
Part way towards a hack again
I've got a rough idea what's going on. To help my quest this time, I have a genuine iPhone a few feet away and will make it connect through an HTTP proxy. And this technique will beat the BBC's best efforts until they force both of the iPhone owners that use the service to download iKontiki once the SDK's released.
Honestly, they could do it right, or they could do it the BBC way.
@ACs - "Wine"
Wine only works on 80x86-like architectures (and possibly AMD64 -- but once you have put one of those processors into 64-bit mode, and the Linux kernel *does*, some of the 32-bit mode instructions become unavailable). Not everyone running Linux or Solaris is doing so on an x86 platform.
Re: The DRM was working fine
"Why fix what wasn't broken? They had DRM, it was restricted to UK only IP addresses, that was the only DRM needed and it worked fine."
This isn't the only DRM that's needed - the BBC needs to ensure that downloads aren't kept for more than 30 days.
"It's the *extra* *crappy* *Microsoft* DRM that causes all the problems. It has never worked anyway, and just makes it difficult to play on all sorts of non Microsoft devices. Largely because Microsoft refuses to disclose how it works doing it's usual attempt at platform lockin."
Microsoft's DRM may be crappy but it's the only way the BBC can ensure its digital rights commitments are met
"Sure UK Linux users could play the files, but then UK Linux users also pay the TV license. So what's the problem with that?"
The problem was that people could keep the downloads and share them around the world. Being a license payer does not entitle you to take DVDs from the BBC Shop and send copies of them to your mates - exactly what people were effectively doing with the iPhone hack.
"Look at it this way, they delivered it in a standard format, Linux users put together a player within a few days. So set top boxes, and UK Tivos and games consoles and networked video players would all be able to play that content, and just like the Linux guys could add support very very quickly.
"This is exactly what the BBC wants!"
And they're working on it. The BBC's said all along that it wants to be on as many formats as possible. It's rolling iPlayer out as fast as technology and resources will allow.
"The IP address restriction is all the DRM they need. It restricts the digital rights to the UK IP addresses without restricting it to Microsoft computers only, which is exactly what is required.
"Ditch the *Microsoft* DRM, keep the IP address verification DRM."
See above. Simple IP restrictions aren't sufficient.
And finally, will people stop whining that they've paid their TV license so are entitled to walk into the BBC archives and take what they want. The TV license does not pay enough for the BBC to pay production companies to hand over all rights to content and paste it up for free. Given that most BBC output is now made by independent producers (at the Government's request) I cannot ever see the BBC simply giving away stuff to everyone. The iPlayer service is fantastic and comes at no extra cost to license payers. Why the hell can't people just be satisfied with the excellent service they're getting instead of constantly whining that they're not being given something for nothing?
Not the BBCs Copyright
The thing is the BBC don't own ALL the copyright to (more or less) any of their TV programmes.
The BBC buy the rights to show it on TV a certain number of times and have an agreement that lets them make it available for up to seven days online but their deal doesn't extend beyond that.
Basically for every TV show every piece of music played has several rights holder, the writer retains rights, the actors all retain the right to claim repeat fees - even conductors on musical score retain certain rights.
None of those groups would let the BBC offer any TV show without DRM as offering it without DRM is the same as offering it forever and that would reduce the fees they get for DVD sales.
The IP restriction is there to stop people outside the UK using the iPlayer - in the same way FOX, Disney, NBC, ABC et al stop me using their on demand services over here - it's not directly anything to do with rights.
I agree that the BBC would be better to create their own open source DRM solution that would work cross platform - maybe they could work with ITV and Channel 4 to create one all UK broadcasters can use?
Well, considering Apple's biggest product, OS-X is based on FreeBSD, I'd be taking a look at Math.Random in the FreeBSD sources to see if it diffeers from Linux. Has anyone tried the hack on a FreeBSD box to see if it still works?
May I just point out...?
I've been accused of uninformed comment myself in the past but this topic really takes the biscuit.
1. This is NOT a case of Linux users creating a hack to view iPlayer, poor, deprived dears. ANYBODY in UK with Flash on ANY browser on ANY OS can view the iPlayer streams. (I've just been watching the second "Ten Days to War" using the Flash plugin in Firefox under Ubuntu fer Chrissakes.) Devices *without* a suitable implementation of Flash include games consoles and Apple mobile devices.
2. There is no Microsoft-only conspiracy. These are the STREAMS we're talking about, not the DRM'd DOWNLOADS.
3. The hack described yesterday involved saving the streams to files that weren't time-limited, thereby effectively turning a STREAM into an un-DRM'd DOWNLOAD.
I guess "Why bother?" will probably be what the makers of quality drama like Life on Mars or doctor Who will be saying in few years when they can't paid for their work....
Don't DRM content that doesn't need it
Programs from suppliers that have the 30 day limit in their contract can continue to be made available in DRM only form. Likewise if the supplier want any other restriction on it that requires DRM.
Up to them if they want to restrict their content to a subset of viewers.
However if they don't need that limit the content shouldn't have that limit, there's simply no reason for the BBC to enforce *extra* limits beyond their normal 'UK only' of their remit.
I also don't see why they should implement their own players when it's clear as day that when they made the content in an known open format a player was made almost immediately. The set top box makers, network media player makers etc. can implement the code damn quickly.
The only thing currently stopping them supporting the Beeb content is Microsoft's DRM lockin.
Get a DVB card
Get a dual tuner DVB card and some software, record all you like in mpeg2 near DVD quality.
Saves wasting internet bandwidth and messing around with stupid DRM schemes.
What's the point?
Most shows are up on Bittorrent and Usenet the same day anyway, just restrict iPlayer to the UK and leave it at that.
@Rob McCann and other DRM whiners
Everyone who complains about DRM please remember why it's there. There is such a thing as copyright.
If you create something (write a book, develop software, record a song, produce a film or TV show) this involves significant effort and often considerable expense and it's not unreasonable that the law lets you protect that investment and control how and where your creation is used.
Just because computers and hard disks and DVD burners make it *easy* to copy something doesn't make it legally or morally right to do so. Just because we've all gotten so used to being able to copy things easily that we find DRM-protected files to be a nuisance doesn't mean they're wrong. Just because it's easy to break DRM doesn't mean we should criticise content owners from trying. Indeed, often people like the BBC or Apple or whoever have no choice - in order to be allowed to distribute someone else's copyright-protected content they are legally obliged to take all steps they can to prevent unauthorised use.
Yes, of course the BBC and other broadcasters have heard of PVRs. And as long as you just use them to timeshift programmes for your own use I'm sure they don't mind at all - they do want you to watch their programmes. But if you keep files indefinitely and watch them again and again instead of buying the DVD, or send them off to other people round the world so they don't watch them on their local TV station and the BBC earns fees from the distribution rights, then they suffer a direct financial loss, which translates to less money to pay writers and actors and make new programmes.
If you're happy that our airwaves are full of cheap crap rather than quality drama then fine, just carry on using clever little utilities to strip off DRM when you find it and sharing them over the torrents, and you'll have your way.
"ANYBODY in UK with Flash on ANY browser on ANY OS can view the iPlayer streams."
Could you tell me how I do it on Linux on AMD64, or Sparc64, or PowerPC then? Hint, there is no Adobe Flash plugins on these platforms.
I *could* view the streams on all these platforms yesterday using the iPhone hack, pity it's gone.
"What happened? Did all 400 Linux users start using the hack at the same time?"
(and I'm a Linux user)
Just use Firefox and Orbit plugin
Then right-click and Save As...
Why build the iPlayer for an unpopular platform?
Why bother making the iPlayer available on the iPhone anyway. The reason the BBC haven’t made a Linux version is because Linux is unpopular, so is the iPhone. This doesn't seem like good use of the licence payer’s money to me. Developing a client for Symbian or Windows Mobile would be a much better option, or even some sort of Java client.
@ AC re: "Linux on AMD64, or Sparc64, or PowerPC"
You probably can't run it on a Sinclair Spectrum, Cray 3, or CNC milling machine either, but I was talking about the *real* world.
Anyone got an iPhone they can check with?
The only two things I can see are either a different outcome from the math.random function on the iPhone or + availableStreams.pid + (see http://www.bbc.co.uk/iplayer/page/script/1.7/iplayer_info.js also) is generated differently somehow. Not being a Java programmer or owning an iPhone, I can't tell though. When I look at http://www.bbc.co.uk/iplayer/page/item/b00936r3.shtml?src=ip_mlt I get the link http://www.bbc.co.uk/mediaselector/3/auth/iplayer_streaming_http_mp4/b009hdr4?431410 generated when masquerading as an iPhone. Anyone with an iPhone like to see if something different appears?
The web browser probably has its own random number generator rather than using the system one. Other than that, your idea certainly has legs.
Safari is based on the KHTML rendering engine, which is also used in Konqueror. By mucking about creating an extra file in /usr/share/services/useragentstrings/ (on Debian, so maybe also on Kubuntu; other distros may use different paths) and restarting X, I was able to persuade Konqueror to do something ..... It didn't play the video, but that's most probably just a misconfiguration my end. At least the BBC seem to think my Konqueror is an iPhone now .....
Of course I realise it would be simpler just to put the programmes in my Sky Plus Planner; but if I wanted to do things the easy way, I'd just buy an iPhone!
The problem is that if you are running a 64-bit system, you have to have 32-bit libraries installed somewhere in your path in order to be able to run software compiled by other people. And the 32-bit libraries ordinarily have the same filenames as the 64-bit libraries.
Also, there are some instructions that are not available once the processor has been switched into 64-bit mode (which 64-bit Linux does; but 32-bit Linux and Windows don't).
If someone wanted to badly enough, they could run Firefox on a Sinclair Spectrum, Cray 3, or CNC milling machine. It'd be hard work, but it'd be possible, because the Source Code for Firefox is available for anyone who wants it.
Adobe, however, will not release the Source Code for the Flash player; despite the fact that they give away binaries for certain, selected platforms gratis and therefore would have nothing to lose by giving away the Source Code.
There has been some amazing progress made with GNASH, but it's still a bit like trying to learn to speak French by sitting in a café in Paris, listening to what people ask for and watching what they get given. This has to change: food manufacturers are obliged by law to print ingredients lists (and with good reason: search for food adulteration), so why aren't software vendors obliged by law to supply Source Code?
.... and perhaps or perhaps not related, I've discovered, this morning, that attempting to view video on the BBC News website in firefox now causes the message "additional plugins are required to display all the media on this page." to be displayed. Clicking "Install missing plugins" sends you to a firefox dialogue allowing you to install windows media player 11.
Note that the video still actually works, without installing this version, but this message is new for me.
See for example, the current footage, of an incident involving yet another highly competent terrorist, featured on the front page.
A clue for geeky readers, who should head over to this page http://developer.apple.com/internet/safari/faq.html in desktop Safari, mobile safari, desktop safari masquerading as mobile safari (via debug menu in osx safari 3), ffox, and ffox masquerading as mobile safari: Various navigator.* (e.g. navigator.appname and navigator.platform) properties are unique to mobile safari.
There's also the small matter of wget's --referer= and --load-cookies options.
No doubt somebody will have this defeated in the next few hours.
Video/audio capture elminates DRM! Oh noes! Am I going to jail?
"If I had time (I don't, but someone else might) I'd write an application which simply records all the outputs to a monitor/speakers."
It already exists. Actually, several already exist. Camtasia Studio is the first one that comes to mine (free version here http://download.techsmith.com/camtasiastudio/enu/312/camtasiaf.exe which is version 3.12).
@A J Stiles
You just have a lib32 path and lib64 path for the respective bit version of libraries, I've been able to run all my 32bit applications under Linux, including non-native apps via Wine
MPEG2 stream available with no DRM?
It's called Freeview and any number of DVR's will record this high quality MPEG2 steam. It is then just a matter of transferring the file (e.g. Twinrip) and off to the P2P bypass all the BBC's copyright 'issues'. DRM is just there to make the average users life more difficult it has and will never protect the content from unauthorized distribution (its not illegal!).
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Hi-torque tank engines: EXTREME car hacking with The Register
- Review What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
- Product round-up Trousers down for six of the best affordable Androids
- Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...