Protecting embedded media

I recently picked up a little side job wherein the client wanted to protect embedded Quicktime files in the members-only section of their web site (it was a tutoring site).  Obviously, anybody who’s really determined to get their hands on such embedded media would find a way using a screen recorder or other “advanced” means.  The idea here was to prevent the average user from being able to download the file using the embed URL or any Firefox plugins.

I was surprised at the few and relatively unhelpful posts I found on the subject, so I thought I’d throw mine into the mix.  I’m not saying it’s hackproof or totally secure, but if anybody sees a way around it I’d be interested to know how.

The basic premise is this:  at the top of each page containing embedded media you generate a token which is a hash of the file name and a random number, which are both stored as PHP session variables.  In your EMBED tag, rather than referencing a media file in the publicly-accessible section of your website, we’ve got the media stored “above root” and use a PHP script (media.php, in this example) to check the token, serve up the file if all looks well, and then destroy the token.

First, I placed the media above the web root on the server.  If www.mysite.com translates to /home/user123/domains/mysite/html on your server, you want to place the media in a folder such as /home/user123/domains/mysite/media. Then we create a PHP file called media.php in the web root to serve these files up.

// media.php
// start the PHP session
session_start();
// check the hash (this will make sense in a minute)
if (crypt($_GET['filename'],$_SESSION['number']) == $_SESSION['hash']) {
// if the hash is good, destroy the token and all related data
$_SESSION['hash'] = "";
$_SESSION['number'] = "";
// open the file in a binary mode
$name = '/home/user123/domains/mysite/media/' . $_GET["filename"];
$fp = fopen($name, 'rb');
// send the right headers. you'll have to change these if you're using something other than quicktime
header("Content-Type: video/quicktime");
header("Content-Length: " . filesize($name));
// dump the media and stop the script
fpassthru($fp);
exit;
} else {
// if something goes wrong, redirect
  header("Location: index.php");
}

At the top of the page you want the media on, include the following code:

// the name of the file in the /home/user123/domains/mysite/media directory
$movie = "sample.mov";
// start the php session and generate a random number
session_start();
$number = rand(0,100000);
// create a hash from the two
$hash = crypt($movie,$number);
// store the hash and the number as session variables
$_SESSION['hash'] = $hash;
$_SESSION['number'] = $number;

Then, in your HTML, where you would normally have src=”mymovie.mov” you now use src=”media.php?filename=mymovie.mov”.

Since the random number & hash are stored as a PHP session variable the user oughtn’t be able to see them and the hash should stay secret. The token is essentially “cashed in” when the media.php file is called and the media is returned to the browser.

The Death of Support (even when you pay)

UPDATE: Several weeks after posting this I got a call from another support agent looking to help. Turns out the error was a problem was cryptkey thinking someone was trying to get around its security. He sent me two files (NETDC.DLL and P3SRVR.DLL) to overwrite the ones on the server. FIXED! You may download the files here. Keep in mind your problem may not be the same as mine. I take no responsibility if using this fix breaks your machine.

I had the pleasure misfortune miserable experience of calling Primavera (now Oracle) for support today for a problem we are having with P3, our scheduling software.

They have a knowledge base article that details the process of installing their software on a Windows 2003 terminal server running Citrix, but despite following those steps precisely we’re getting an error when running the software.

As you can see from the pic, I waited on hold for over two hours (they picked up around the 2:30 mark).  I also queued up their “Chat Support” option but had similar results and closed it after about an hour.

If I were calling HP to get support on a printer at my house I’d expect this.  However, we spend over $1,000 per year for support on each of our P3 licenses.  We have similar support contracts with other software vendors (thank you, Meridian) and rarely have to wait more than ten minutes.  When paying that much I expect to be able to reach a human in under an hour, call me high maintenance if you must.

Update 5/2/2009: If anybody is interested, the error we were receiving was “P3 Registration Cannot be Validated” and then “INITIALIZATION: FILE_NOT_FOUND (-1).” As it turns out they have been unable to get the software running at all on Windows 2003 R2.  They suggested a rollback to R1 (no easy task since R2 came OEM with the server).  Would have been GREAT if this were in their knowledge base and we would have known before we setup all the other software on the server.

Whiteboarding UI and workflow with Balsamiq

Sample Balsamiq UI Mockup

Before I started work on TallySpace I wanted to have a game plan for the UI and work flow.

My previous projects had always been small enough that I could plan as I went along.  Obviously this lead to many frustrating dead-ends and some backpedaling when my informal plans required major revision, but it worked.

Being that I wanted to do this project right, I wanted to at least plan out, in detail, the user interface of all of the pages.  One day I was listening to Net@Night and they were interviewing the founder of Balsamiq. He basically started the company on his own and was able to make $100K in his first year.  I liked his attitude and his story so I downloaded the demo. Read the rest »

Project Highlight: TallySpace

Since the primary purpose of this site is shameless self-promotion I figured I’d dive right in and highlight my currently (most) active project: TallySpace.com.

My wife is a teacher and for a few years was yearbook adviser at her school.  One day she was complaining about how they spend literally weeks out of the year counting standout votes.  For those not in “the biz” (which I wasn’t) those are the votes for things like “Best Hair” and “Most Likely to Succeed.”  Being the techie I am, I spent a night working up a really quick-and-dirty PHP/MySQL app that imported a list of her students and could basically let them do all the voting online.

We ran the vote that way last year and this year and despite a few bugs things went off nicely.  The site prints out a nice little results page for those authorized to view it and generally saves the yearbook class from having to waste a bunch of time counting votes.

I got so much positive feedback from the teachers that I decided to build it out to handle multiple schools and multiple vote types, including Prom/Homecoming votes and student goverment.  I’m currently about 60% done with the “Alpha” build and will be posting updates here.  This is the first really unique and massive project I’ve taken on myself so it’s been a learning experience.

If you’re an educator or know any who might be interested feel free to head over to TallySpace.com and sign up to receive notification once the Beta is opened up.  I’m not sure who I’m going to open it to yet but depending on the response I may just let in everybody who asks.