Widevine has been privately cracked/bypassed. The method hasn't been made public as it would obviously get patched rather quickly (if it even can be patched).
That's why Netflix content is available almost immediately on any decent tracker. The quality would not look nearly as good if it was grabbed using a capture card.
Like others have mentioned, it's security theater for the content owners who most likely require Netflix to have DRM in place in their contracts.
It's not even private anymore. Anyone can easily find tools on GitHub or other sites[0] that can download widevine'd content. It's easy to find L3 keys on GitHub too. There are public sites[1] that get the decryption keys but using their own keys on the backend if you cant find keys or don't know how to dump the keys. There is an all-in-one tool[2] that lets anyone with 0 knowledge of DRM to dump content from practically any site that uses widevine, costs a leg but it's meant for people who don't want to waste time finding tools and learning how to do it manually.
The all-in-one tool only decrypts Widevine L3, which is the lowest security Widevine protocol according to TFA. 4k content is only available with Widevine L1. The others don't say which level they support, but I assume it's the same.
That tool says it does for 4k for HBO Max. All the other platforms (Netflix, Hulu, Amazon, Disney+) are 720 or 1080 though. Wonder whats going on there.
This is why audio and video drm is so useless. All the cracking teams have their own methods which they don’t need to publish. Unlike video game drm where the cracks have to be published with the game.
It's actually a bit dangerous for ripping groups to do that if they're in countries friendly to western interests, because the media companies can initiate a traitor tracing protocol to figure out where the leaks are coming from and then initiate prosecutions. Traitor tracing algorithms are well known in the literature and some are undetectable.
When this game was playing out with BluRay, it wasn't possible for the media groups to directly attack the ripper makers because the primary developers were in Antigua which had a WTO ruling against the USA allowing Antiguans to ignore US intellectual property rights. I forget the political background. Later I think someone in China started doing it too. The point is though, that the tech converted (for a time) the problem from one of intractable scale to one of "if we get these two companies then the issue disappears because they're the only ones who have the knowledge". That opens up all sorts of new strategies for the media companies to pursue. They may not work, but, the situation is definitely not the same as before.
BTW video game cracks don't have to be published with the game. They can just publish the patches to the game files without releasing any tools they created to make those patches.
Not just privately either, there have been tools circulating even on GitHub.
For a L3 example there's one repo [1] that's kind of still up but not really. Still enough to show that it happened. L1 bypass has also been on GitHub briefly. However these things get deleted rather fast for obvious reasons.
> Just because piracy is possible doesn’t mean they should make it as easy as it can be for users.
> There’s value in even minor hurdles.
The hurdles only exist for the people who are paying them. It makes piracy more attractive relative to paying, by making the experience you get when you pay worse.
> They clear think it’s worth it.
They're corporations. Management is under pressure to be seen doing something about piracy and the DRM vendors saw an opportunity to sell them some snake oil.
That is like arguing that "clearly people think fax is secure, otherwise they wouldn't use it". No, it is obviously theater but other people insist you use it and while useless the effort to change it is "not worth it".
Cell pagers are also deemed secure in some places, despite being broadcast over a wide area.
Both of the technologies can be seen as "secured" by laws outlawing listening to the information sent in cleartext.
I wouldn't call it "security theatre", i would call it "security through legislation" or something along those lines.
I thought "security theatre" was a routine that promised, but did not provide, additional security, and while there is no technical security, there technically is some security, in the form of legislation.
Yeah. When nerds talk about DRM I’m reminded of that xkcd with the encrypted payload, and the crowbar. I can’t be bothered finding it.
“Security theatre” is as you’ve said something that people in these circles there around at times when it’s just not accurate.
This is such a weird blindspot for nerds. A cargo-culted relic from a bygone era where digital media consumption was worlds harder than it is now, and the argument against DRM was less wrapped in moral superiority, instead just…much more blatantly being about people wanting to pirate things.
I’ve got no doubt that a highly experienced and motivated hacker could pop any of my stuff in 5 minutes. Doesn’t mean that I’m not putting effort into securing my stuff against the garden-variety script kiddie, even stuff that negatively affects user experience.
An argument that the negative UX imposed by DRM doesn’t justify its benefits (to the content owner / distributer) is at least a little bit interesting. However “it’s annoying to get going on an OS that nobody uses” is a pretty weak argument. As is “it makes it hard to rip content from a streaming service in a way that’s very blatantly NOT in the spirit of the transaction that gave you access to the media in the first place”.
DRM isn't really about piracy, it's about control and money. They want to be able to take content from people who already paid for it, censor/edit/change content after it's been purchased, track usage, and ultimately force people to pay over and over again for the same product.
The fact that DRM sometimes slows pirates down for days/weeks/months is just a tiny bonus.
Widevine has various levels, and there are exploits for the lower ones.
But the upper ones really only have a vulnerability if a hardware key gets extracted, and Netflix shows in higher resolutions are increasingly not available anywhere because of that. Stranger things Season 4 was only available at 720p for more than a month.
It was cracked but they had to burn a hardware exploit to do so and the key was (I assume) subsequently revoked. So they are only doing it sometimes when there is a sufficient buildup of content.
I think it's both things. Netflix, and other platforms, don't send lossless streams to you. Even at 4k. Plus, you are re-encoding it.
Its like doing a VHS copy from another VHS, or creating a new JPEG image from another. Always there is a loss of quality.
Well a 1080p stream at 30 fps would be 1,5 Gbit/s -- a little outside the spec of most people's internet tubes. And 4K UHD at 30 fps would be around 5 or 6 gigabit.
It helps to capture the Netflix stream uncompressed to remove the extra compression step you'd otherwise get at capture time, and modern encoders are pretty good, I don't think most people would notice on a laptop screen.
On a 40+ inch 4K TV though, it can be quite noticeable
The signal remains digital, but decompressed into a raw bitstream that would be many mbps (think how big lossless filesizes get). So it has to be re-encoded but you’re doubling the compression artefacts, and can only avoid them by really dialing up the bitrate.
Maybe someone made a video encoder algorithm that’s tuned toward already compressed and decompressed video.
Though I’m in the camp of watching for quality of the story etc. rather than the crispness of the video. If it’s not worth watching in 480p, it’s not worth watching in 4K either.
Capture is not lossless. Think about a photocopy machine, every copy loses a small bit of information. Recapturing video output is a similar situation.
Why? Photocopy is obviously lossy since there is a very noisy digital-analog-digital conversion going on. But a capture card is capturing a digital signal. There should be no loss except for video decoding/encoding artifacts.
You're not understanding how lossy compression encoders work. Try recompressing a JPEG a few dozen times. Or take an MP3 and export it from Audacity, open the export, export as MP3 again a dozen times and see what it sounds like.
All those artifacts keep getting amplified every time you re-encode until it's practically just the artifacts. Every time you render and recompress you're losing information, it's lossy compression after all.
Lots of the time capture cards are returning a compressed video stream instead of raw frame data, at least for non-professional environments. I don't know too many amateur streamers handling SDI around their house.
In practice, that difference doesn’t really matter because almost no one is going to store their captured, already-lossy material in a lossless format.
If you know you have to recompress and want to reduce unneccessary artifacts, you do. But beware that uncompressed video in 8 bpc (not HDR) 1080p @ 30 fps is 1,5 Gbps so you'll need 1,3 TB to store your 2-hour capture :)
Like the codec used to get the stream from Netflix to you, to be decompressed for the capture card (so lossless capture of a lossy source) and then back through x264/265 so lossy compression on a lossy compression. Just because there is a capture card in the middle doesn't stop it going through multiple lossy steps.
QTractor. I used to master with Jamin but the master_me LV2 turns out to be easier to use (for me). I also use giada for live looping and mixxx for DJing, all of which work great on musl.
I see Alpine Linux uses musl instead of glibc. Theoretically, couldn't you install or build glibc anyway and launch Chrome with LD_LIBRARY_PATH=/path/to/glibc?
I've danced this dance at some point, I wanted to do things right and "reward content creators". Then I gave up.
Paying money and having to install a proprietary browser and run proprietary software to stream low-quality video (not download, or move to a different device), if the company deems it available to you at that particular place and time.
Meanwhile torrents let you start watching most content in under 30s, at whichever quality you'd like, in a convenient mkv you can stick anywhere.
No thanks. I'll stick to patreon and buying albums to assuage my guilty conscience and reward content creators.
Widevine is a plugin-like .so meant to be loaded into Chrome/Chromium. Because it uses glibc, the entire process hosting it must use glibc. So, what prevents me from ALSO HAVING GLIBC CHROMIUM instead of musl Chromium? Nothing, but I hope you get that it propagates further and it's a horrible idea to just glibc everything on Alpine.
Sure, but you need it for Chromium alone iirc, no?
>Because it uses glibc, the entire process hosting it must use glibc. So, what prevents me from ALSO HAVING GLIBC CHROMIUM instead of musl Chromium? Nothing, but I hope you get that it propagates further and it's a horrible idea to just glibc everything on Alpine.
Well, don't glibc everything. Just Chromium and its dependencies. How does it "propagate further"? It's not like libraries leak outside where they're told to load!
I want to use the distro (Alpine) packaged Chromium, which links to musl. Not some random Chromium build I found on the Internet. Having to use a glibc Chromium is already too far for me.
Do you suggest that in order to support Widevine, a distro (Alpine) should also build Chromium, Firefox and co also with glibc instead of the default (musl), or provide two varaints?
Even when they have a Chromium with musl as libc working perfectly fine, except no proprietary DRM support?
I'm okay with running a proprietary binary, linked to glibc, by installing the glibc alongside.
I'm not okay with having to randomly change other packages already in my system (in this case, my browser) to glibc variant.
Edit: Oh, and anything Chromium depends on have to had a glibc variant.
>Do you suggest that in order to support Widevine, a distro (Alpine) should also build Chromium, Firefox and co also with glibc instead of the default (musl), or provide two varaints?
Yes, absolutely.
I'm not suggesting that it's a good thing that this is needed.
But I do suggest that it needs to be done.
Will, in the sense that, otherwise, people running Alpine will have to say "OK, as it is, we can forget Widevine and Netflix/Spotify" and leave it at that.
That said, since this is something many Alpine users will want, I'd expect to be some known "semi-official" or "reputable third party" build for this, not just "some random Chromium found on the Internet".
If not, personally I'd skip Alpine.
>Even when they have a Chromium with musl as libc working perfectly fine, except no proprietary DRM support?
Well, even then, since this doesn't change the fact that Widevine and thus Spotify/Netflix wont work.
> For broad-based usage, things are less likely to break with glibc. For a specific use case, that may be less important. As a dangerous generalization, musl is usually lighter on resources, but glibc is faster. If using ARM or very limited hardware, musl may in fact be faster, but with more available hardware resources, glibc usually wins, often by using non-standard optimizations (cheating).
> In the instance of Chrome, the browser doesn't implement the DRM itself, but delegates it to a native library referred to as a CDM (Content Decryption Module).
> This library is an opaque proprietary blob that we are forbidden to look inside of (at least, that's how they'd prefer it to be).
> Graciously, as part of the Chromium project, Google provides the C++ headers required to interface with The Blob. This interface allows other projects like Firefox to implement support for Widevine, via the EME API, using the exact same libwidevinecdm.so blob as Chrome does.
Excellent writeup. Asahi is my daily driver, but I've never had the need for either Spotify or Netflix. I guess the gospel of RMS and the FSF over the past few decades has steered me away from anything DRM-related.
In terms of freedom of using compute devices, RMS has a point.
In terms of freedom of using media, I'm less annoyed by Spotify or Netflix than I am by "purchases" of media that have DRM. It's clear that one is renting with the streaming services, but Amazon can revoke permission for me to read books I have purchased or Valve can revoke permission for me to play games I have purchased, we are truly living in a dystopia.
The terminology should be either "License", "Buy a License", or "Purchase<br><small>Indefinite License</small>", but it's distinctively "not renting" since it's a one-time cost to obtain that indefinite license. Renting anything implies and requires some form of ongoing cost.
When have you ever been able to buy software? I thought in most cases you just buy a license to use the software or the license says it’s free for X types of uses or sometimes “free for everyone”.
Back when it was sold on physical media; CDs, Bluray, DVD or floppy disk. Because it was a physical disk, you were allowed to do whatever you want with that disk. You weren't given the right to copy it and distribute those copies thanks to copyright, but you were allowed to resell your one physical copy due to the first sale doctrine. Hence we can quibble about the definition of "buy software", but we used to be able to do that. It's that the first sale doctrine kinda doesn't apply if you're renting software like a SaaS over the Internet; eg Adobe Photoshop/Creative Cloud.
I don’t remember it being like that with CDs and floppy’s. I’m pretty sure most of them were still a license to play.
Looking at my Diablo II (version 1.0 2000) and Warcraft III CDs I am given a license key and agreement to an EULA. Unfortunately the EULA isn’t in the box but I’m almost positive they could revoke my key and I’d be unable to play.
Blizzard trying to push renting software on us doesn't change what was legally allowed, and Diablo II and Warcraft III were after the Internet came around. Now, if you bought Warcraft I, which didn't have Battle.net support, you own that one copy, and Blizzard can't take that copy away from you. Which is to say it's bought and not rented.
Yeah the subscription services for media I like and I feel like the proposition is straightforward. I pay per month for access to a massive catalog of media. If I don’t like it I can just stop and maybe subscribe elsewhere.
It seems quite fair. There’s no mystery that it is a rental situation.
I use the web client, but I find myself lamenting how it's missing basic features, like playlist management (change song order, duplicate playlist); fortunately I don't use those often, but it is quite annoying.
The web client seems to install some DRM packages.
I've used ncspot extensively when on little ARM boxes - it requires a premium account, which I have, and it's just a nice little curses interface to Spotify, written in Rust, that seems to work on everything with a minimal of resource use.
raspotify/spotifyd aren't alternative desktop clients, they're connect clients, great if you want to modern-ify an old amplifier, but not useful for streaming.
All of the native desktop clients (psst, spot, etc) are missing quite a few features compared to the official client, and spotify-tui is nowhere near as nice to use.
Hard agree. There was so much nerdrage when the EME was being considered for standardization, as if by not standardizing an API we'd be preventing DRM from existing. People acted like Tim Berners-Lee was stabbing the collective internet in the back when he endorsed it.
The choice was between a standardized web-based DRM, or a wild west of incompatible proprietary DRM. Personally, I'm glad I don't need Silverlight to watch Netflix anymore.
There is also the opinion that having a Wild West of incompatible proprietary garbage would result in DRM being less popular because it caused too much friction for users. Of course some stuff would still have it, but less would than the current state where it’s easy and invisible to users until you hit an unsupported system.
> …would result in DRM being less popular because it caused too much friction for users.
I agree. But that wouldn’t lead to more content freely available. It would lead to more content being locked in apps and unavailable in the browser.
Do you think they would’ve made an app for Linux? I don’t.
The dream that all content be available DRM free isn’t happening any time soon. Rights holders clearly don’t want it and I don’t think anyone could marshal a big enough boycott to change that.
So the choice is DRM or no content at all. Given that EME is a good outcome.
I don’t think Spotify web would have DRM if it required manually installing crap like silverlight. Music went drm free because it was inconvenient, and then when the drm was refined a bit, it’s all locked up so the web ui doesn’t work on Asahi.
By the beginning of 2007, every music service that wasn’t iTunes had failed to gain traction. The record labels wanted Apple to license FairPlay. Apple refused and Steve Jobs posted “Thoughts on Music” to the front page of Apple.com where he gave the music labels an alternative - license their music to everyone DRM free.
> The third alternative is to abolish DRMs entirely. Imagine a world where every online store sells DRM-free music encoded in open licensable formats. In such a world, any player can play music purchased from any store, and any store can sell music which is playable on all players. This is clearly the best alternative for consumers, and Apple would embrace it in a heartbeat
The record labels wanted Apple to give them a cut of each iPod sold, allow variable pricing and allow more music to be bundled instead of sold as singles. Apple refused. Some other places like Amazon and MS acquiesced.
Apple then released the iPhone. But didn’t have the rights to sell music over cellular. Both sides came back to the bargaining table and by 2009, iTunes music was DRM free.
Because users are so famously reluctant to download apps? Apple would like a word with you ;)
It's mostly devs who obsess over the downloading and running of programs as if it's a great torment. Users don't care much. They're happy to go grab things from app stores or even just download and run them. Notch was able to buy a massive mansion in Beverly Hills on the back of people downloading and running his Java desktop app.
But it makes music the one digital good I don't torrent on the reg cuz it's easier to just search it up on Amazon than on some torrent site. (The one weird exception is discographies, since they don't sell those for some reason. For them, archivists' torrents got you covered.)
The mere existence of Widevine is a mystery for me. How sensible for Netflix is to invest into DRM at all?
It's not a gamedev situation, where DRM lasts long enough to make impact on initial sales. Pirated Netflix shows appear on the torrents same day, and unless they have full-stack protection from the decoder to the screen, not much can be done.
They seem to make user experience worse for nothing.
> The mere existence of Widevine is a mystery for me. How sensible for Netflix is to invest into DRM at all?
Well that investment is pretty low since Widevine is quite easy to integrate and the licensing cost is 0 for Netflix.
The thing is, you do need some Digital Rights Management somewhere. If you just have clear-text mp4 with no auth, you can just share that mp4 url, and you could watch movies directly off Netflix servers (so it would cost even more than torrenting).
You could include temporary tokens in your URLs, but then you need your CDN to be a bit dynamic.
Or you could have a completely static CDN, but the files are encrypted, and you download the encryption key off a server dedicated to DRM that will check you're properly authed. And well, here you've re-created Widevine. Widevine do provide more protections than just that, but that's just free for Netflix, they literally just have to switch some booleans.
> They seem to make user experience worse for nothing.
Yeah I mostly agree. As I mentioned before, there are some usages of DRM that are not completely non-sense. What kills me is the HDCP requirement. Many TVs have HDCP compatibility issues (for instance my Samsung TV has the two 4k60p yuv444 hdcp 1 ports and one 4k60p yuv420 hdcp2 port, so I need to chose between 4k content and true 4k resolution), while HDCP2 is utterly broken: you can find decrypting dongles for 20€ directly from Amazon.
I don't think anyone's suggesting that there's NO authentication. Authentication is a relatively trivial, commonly-accepted necessary nuissance that is distinct from DRM.
If it was the whole story, they'd put their own content (the rare ones for which they have 100% of the rights) with no DRM and the maximum resolution. But they don't do that.
In some cases you might get 720p (Netflix content) instead of 540p (third party) with widevine L3.
Why would they do this if they've already gone to the trouble to solve the problem for content they don't own? Just to show off by taking on unnecessary risk? The fact that they didn't build this infra specifically to protect their own content doesn't mean they wouldn't enjoy the benefit of the extra protection anyway.
It's in their interest to get rid of all the DRM, so it's a matter of setting an example. If they try to get Hollywood to stop demanding it while they're still doing it themselves, they look like hypocrites and fools. If they stop they can demonstrate the worthlessness of it and the success of their content without it and try to get others to follow.
> It's in their interest to get rid of all the DRM, so it's a matter of setting an example.
Is it?
I doubt it's a significant cost center. Plus, right management is viewed favourably by the rest of the entertainment industry. Actively going against the grain would impair their image with their commercial partners.
> It’s not. It’s enough to deter casual piracy. There is some value in that.
Casual pirates wouldn't bother right-clicking in the first place unless it's to store a local copy that they won't even know how to share effectively (since they're casual).
The only thing DRM achieves for netflix is deterring new customers and hurting existing ones.
Most pirates are not subscribed in the first place. They just download something someone else had removed DRM from, which also makes it a superior experience. It only takes one pirate with a decent computer to encode a good DRM-free copy for it to be shared via BitTorrent. It is pointless to deter casual piracy when one "professional" pirate is enough to free the content.
> It is pointless to deter casual piracy when one "professional" pirate is enough to free the content.
For the piracy scene, sure. It’s irrelevant.
But for normal people the difference is huge. They may not know how to pirate content, where to go to find it, or be willing risk downloading it and getting in trouble (scary FBI warnings and ISP letters).
But once it’s trivial due to the lack of protection it will be all over TikTok and FB and WAY more people will pirate. Those are the people DRM, even light DRM, stop.
The way I like to put it is with an phrase your hear sometimes in the lock picking community. Locks actually don't really offer much protection. Their main function is to "keep an honest man honest."
I’ve known enough casual pirates like that in my life. People who would sign up for Netflix for one month every three years and immediately download everything and then cancel again.
> The only thing DRM achieves for netflix is deterring new customers and hurting existing ones.
Out of their more than 231 million subscribing households around the world, I don't think more than 5,000 feel the way you think. Even if 55,000 felt that way it doesn't matter.
This. DRM is a courtesy lock on a bathroom door. It makes ripping content enough of a hassle that only people who are willing to put some effort in will bother, and those people are going to find a way around it no matter what. It doesn't have to be unbreakable to have some value to the content owner.
If we accept that enabling DRM on some of their content has some value to Netflix, which it obviously does, and we accept that it doesn't impose unacceptable user experience tradeoffs, which it obviously doesn't, then it is rational for them to enable it on all of their content.
There is probably a hypothetical cost/benefit break-even point where it actually degrades the user experience a little and thus is only acceptable in cases where it is absolutely needed, but it seems unlikely this is significant enough to even be quantifiable.
> It’s not. It’s enough to deter casual piracy. There is some value in that.
Is it? Anyone is able to use obs studio these days, you know, to be an influencer. It is all I needed to "backup" offline versions of some shows for my kids before we would take a plane. I am pretty sure I could have torrented them out as well.
It's not worthless though, because if it didn't exist - some browser extension would appear the next day which adds a nice little download right next to the play button.
Buffering delays can be greatly reduced, if not eliminated entirely, by simply sending the whole file but in the past many upstream content providers insisted on limits for the amount of buffering/storage in the client.
Fortunately you can now download entire videos in the app, though they're undoubtedly encumbered by DRM of some sort.
The consequences of mislabeling it likely vary based on the severity. Mislabeling and presenting without encryption is likely to be a bigger issue with content providers than accidentally allowing it via a VPN.
Bingo. Netflix doesn't own the majority of the content it streams and wouldn't be able to have the catalog they have (which could be better) without providing guarantees to the rights holders of said media.
This is also why streaming video catalogs in Netflix and other providers can be anemic at times—even assuming nothing is exclusively licensed elsewhere, it's cost-prohibitive for Netflix to license all the media out there. Instead, they license popular stuff and use the rest of their licensing budget to rotate in/out a selection of less popular content.
This is the only reason why they do it. It's not just Netflix, everyone in the industry knows it's pointless, but these licensing deals mandate it and no one wants pay lawyers or extra to have it removed.
Of course they want to. Who doesn’t want to protect his or her intellectual property?
There are probably millions of people subscribed to Netflix merely because pirating Netflix content is inconvenient enough to make people rather pay. How many would reconsider this if the user experience of pirating was exactly as convenient as a paid Netflix account?
Most probably enough so that enacting DRM is the smaller price to pay.
> There are probably millions of people subscribed to Netflix merely because pirating Netflix content is inconvenient enough to make people rather pay. How many would reconsider this if the user experience of pirating was exactly as convenient as a paid Netflix account?
The people extracting the content are people who do subscribe. The user experience of the people who pirate instead of subscribing is completely unaffected by DRM because the DRM is removed by the time it gets to them.
All the DRM does is make the experience of piracy better than that of subscribing, by inconveniencing paying customers and not pirates.
Notice that the people complaining about DRM are almost never pirates, who have cracked it all already. They're people who want to pay Netflix money so they can watch Netflix on their weird Linux setup or whatever instead of just downloading whatever they want in the Netflix catalog from the piracy sites, which would be much easier.
DRM doesn't do anything for non interactive content. It's trivial to rip video and music regardless of what DRM scheme is used because the content is useless unless it's eventually presented to the viewer/listener in a non DRMd form.
You can make this argument for DRM on games, because there is no analogue hole - I can't record me playing a game and give someone else the exact same experience (although some publishers try to restrict this too, not realizing that streamers and youtubers are just giving them free advertising by playing their games).
It was actually interesting to me the latest Chris Rock special which was on Netflix live recently. The first live event I've heard of Netflix doing.
It took a day to get onto the torrent sites.
So that was the first instance I've seen where buying was better than pirating.
I did see comments on the torrent sites from people who were there because their legitimate paid setup was deemed incompatible with live streams by Netflix though... Not a great incentive to keep paying.
I also wonder that about any audio/video DRM, but like most things it's probably something that is agreed upon in the many licenses that they'll protect the copyrighted material to their best ability. Even though everybody knows it's pointless and even ends up being a nuisance for some legit use cases like this story.
Just reminds me of years ago when building websites for clients they always wanted me to block right clicks and put a transparent image over a jpeg so people can't right click/save even though I told them it does nothing against people who want to copy the image. "But it's a bigger hurdle to do so!" well, not really.
I'm sure it's probably a requirement from all the 3rd party media companies. They didn't seem to like VPNs either. But I also wouldn't be surprised if Netflix wants it to keep high quality versions at least off pirate sites.
But probably re-encodes, so filesizes are bigger for close enough quality. A direct crack of the encryption would be best from a space-quality perspective.
Doesn’t really matter much though in most of the world as it used to though.
You know we had that, they called it HDCP. It continues to frustrate users of beamers and what not today, despite the root key being leaked for many years now. Even before the key leak, it never did anything to stop shows appearing as torrents on day one. It will never work, if pirates have to replace the TV panel with an FPGA, they will happily do so.
> It will never work, if pirates have to replace the TV panel with an FPGA, they will happily do so.
Evidence does appear to point to you being right, but I really wonder just who is going to these lengths to pirate things for other people?
A significant investment of time and money, from highly a highly skilled individual, for... bragging rights? Is there some financial motive I'm unaware of?
> but I really wonder just who is going to these lengths to pirate things for other people?
Content owners really seem to underestimate how far people are willing to go for kudos alone on setup cost if the reproduction cost is zero.
Also for some people it's a point of philosophy / concern about future-proofing. Guy I knew back in the day was the biggest torrenter around... He was stuffing a hard drive full of '80s cartoons. His attitude on it was that the creators and owners did not care if those half-hour toy commercials would be around in 100 years, but he did.
As other people already said, some people do it purely "for the just cause". But the piracy is also a literal gold mine if you're able to manage legal risks. Basically, you take ripped content and either re-sell ad-free access worldwide (Netflix is really, really limited to the first world), or make it available for free with heavy ads, or both.
An enterprising and skilled hacker or group of hackers finds rich financial backers to invest in the equipment and time necessary to build a solution. There’s probably a whole underground scene or multiple connected scenes working on this stuff, composed of both hackers and their supporters.
> but I really wonder just who is going to these lengths to pirate things for other people?
The people breaking the systems and the people doing most of the pirating are different.
DRM breaking is a fun challange to some people. You can find these kinds of people breaking all sorts of things. Browser sandbox escapes, remote code execution etc. The mindset is well described in the article here as I can only solve a problem if somebody else implies that I can't. It's a fun challenge! Plus if you do it before others, you get to feel really superior.
The actual pirating is however done by different people. Usually initially by close acquaintances of the DRM breaker, but the methods tend to spread/leak.
If I can crack any piece of DRM, or any digital restrictions, I will do it for free and release it for free. If publishers can't make paying for content more convenient than torrenting or downloading it from a random website, it is their fault. Also, the sense of accomplishment is too great to ignore once you finally crack it.
Thanks! I was trying to figure out what the heck a beamer was. Didn’t seem likely to be a BMW which is the only thing I’ve heard folks in the US call a beamer.
Reminds me of when I visited friends in Germany and they kept talking about their handy and I eventually figured out that’s a cell phone.
> IIRC you can only play 4k Netflix on a smart TV which controls the entire stack from network to pixels
Netflix won't allow TV makers to make their own Netflix app, they must use Netflix proprietary code as-is, and it's Netflix code that download chunks and forwards them to playback, while TV handles the secure video decoding, so TV can't "control the entire stack"
Also, tv boxes are allowed to playback 4k Netflix just fine without controlling the screen.
All the Netflix shows you can download on the internet do include the 4k versions.
Maybe they'll obsolete older 4k devices that are deemed less protected (though I could probably point them "a few" security flaws to Netflix-endorsed 4k devices so that every is on par), but I doubt it. I don't think anyone ever done that (720p has always been fine without HDCP, 1080p with only HDCP1, before that macrovision was non-breaking) [1], and I doubt Netflix would want to push that badly towards e-waste.
[1] There has been few cases of some devices being revoked, like Nexus 6, but it was usually long after their shelf life anyway
they do this because the board has a financial obligation to its shareholders to mitigate risk. they do this because the board also has a contract obligation to its content providers, artists and unions to safeguard against unlawful piracy.
Widevine is not from Netflix per-se but for all kind of DRM content, including that from other streaming services for all kind of media.
Furthermore it is _not_ Netflix decision, but a decision legally forced onto them by companies which whole purpose it is to make money from selling copyright which have huge legal influence in both the US and the EU. (Through Netflix does has some influence on the legal framework leading to to, but very limited compared to e.g. Disney.)
If Netflix wants to have any 3rd party content, even "old crappy stuff", they need DRM (or way more power/influence). Even for first party content due to round about legal things they might be required to have DRM, I think. (But I am not completely sure).
It's actually quite simple. DRM exists so regular users can't easily rip the stream and share it with friends. Sure, the video is already available on pirate sites. But theres a big difference between accepting a video file from a friend, and having to navigate the pirate sites (which are also full of viruses).
The point is to make the Netflix experience better for the average person than the experience of using a pirated source.
And - IMHO - it works.
I used to use Bittorrent quite a lot. There was a bunch of US shows I watched that were unavailable in Australia and so I had a pretty decent setup where things would automatically download when torrents were posted.
Life happened, I stopped using it and haven't really tried torrents for maybe 10 years.
I tried to get a show recently that isn't available here. Wow, that's a pretty bad experience - try to find the correct show, work out what client you need, find one that has seeders, downlaod one and the codec is wrong for my device etc
I just gave up.
I can get NVidia software working on non-standard Linux builds (which I think is a pretty high level of technical competency) but for most people getting pirated content isn't worth the effort.
By putting DRM on the content, they limit distribution to people who know how to remove it and then to people who are experienced at finding what they want on pirate sites.
TL;DR: The user experience is much better for most people. Pirated content has such a bad user experience, but people who use it have invested a lot of time working out what works and don't realize the effort it takes.
Go to torrent site, download torrent, click on file. It really couldn't be easier. There's no DRM on the torrent. If you have a semi-modern GPU you can play any codec you might download. I'm really not sure what you're talking about, unless you're going to some weird torrent site.
Piracy has a great user experience compared to paying for DRM and having to use a particular app instead of your preferred player.
I almost wrote "just wait for people to say 'no it's easy'" but I thought surely we are over that now.
I want to watch The Climb 2023 S01E01. I Google "The Climb 2023 S01E01 torrent"
First result is www.stagatv.com/series/the-climb-s01 (not linking because it is spam)
Hmm nothing else useful on the first page except this: In response to a legal request submitted to Google, we have removed 1 result(s) from this page. If you wish, you may read more about the request at LumenDatabase.org.
Ok, lets look at that. Hmm a random list of very spammy domains like 123movies dot unblockall dot org. Hmm these don't seem to work.
Ok what about my old torrent sites. No, they are all down.
Opens Netflix, but it’s not there? Huh, this show is licensed by BarBaz company, so goes to their website.
Good, it’s here. Wait… “Watch” button is greyed out? “Content is not available in your region”?
Or simply the company decided that your device is not good enough to play the video at full resolution (e.g. Apple TV does that in LG TV app), and standalone device is like 3x overpriced in local stores?
OK, searches for some random VPN (that’s the part where spammy domains and adware come into play). Finds something that seems to be working.
Or not? Searches for the problem, and oh no, the region lock is actually based on the account, and to change that you need to use a card or ID from that specific region or whatever.
Searches for this stuff (more spammy domains), finds a marketplace, gets scammed but luckily there is a buyer protection so gets refund.
Gives up, opens some popular torrent tracker/forum, downloads 2160p HDR/DolbyVision WebRip/BDRip, can watch with friends offline at a local party.
First, Google heavily censors results nowadays. You will get much more results with say Yandex.
Second, TPB is no longer the best public torrent host. For public sites rarbg and 1337x are better alternatives.
Also, for anyone actually doing this kind of stuff regularly, the key is to enter the world of private sites. There is more than enough public discussion around them on sites like reddit. https://old.reddit.com/r/trackers/
So, it's still really easy. Your knowledge (like TPB) is just outdated. However for people who have equivalent modern knowledge, things are simple.
See this is actually the point: It might be easy but it's going to take time. Even more-so with all the people suggesting setting up a whole software stack.
Again, it's all easy enough, but..
It's not time I'm not prepared to invest anymore.
And to go back to the point: this inconvenience is why Netflix keeps DRM.
You could google "top torrent sites", enter one search and be watching that show in less time than it took you to write that comment.
As others have said, it would take me a lot longer to find out which of the myriad streaming services actually have that show, and what device/app I need to actually watch that streaming service.
I could connect to my Iranian VPN which it's VPS I bought through portals available in English, type "The Climb 2023 دانلود", Click on first google Link and use google translate to find the download link in the page. Or use private trackers like IPTorrent or TorrentLeech through leecher (torrent to direct link) providers available in said countries. Will probably work on any other country/language combo with out copyrights law.
Piracy has become slightly more difficult, mostly because of the difficulty finding good torrent sites.
I've set up Prowlarr with the recommended torrent sites and have found two torrents (h264 with 4 seeds and h265 with 9 seeds at 1080p, or h264 with 3 seeds at 480p) for your query; it took me no more than five seconds. A torrent client isn't enough these days, unless you like wasting your time on Google, but there are technical solutions for that!
Combine this with Sonarr and you can simply add "the climb". It'll download all the episodes for you, and optionally start downloading new ones once the next season comes out.
I can't find where I would watch this show legally. The local copyright lobby has set up a nice website where you can look up legal sources for TV shows, but it doesn't even list the show, let alone show the normal "not available right now" message. With legal-ish access to Amazon, Disney+, HBO, and Netflix through my accounts or those of friends, I'd expect to find it somewhere but I'm not going to bother manually searching through all that.
There's an opportunity for media companies to take Sonarr and make a version that just redirects you to the services you're already subscribed to. They'll have to find some data source for situations like "season 1 is on Netflix, season 2-4 are on Amazon, season 3-5 are on Disney and the specials are on Paramount+" but the industry have done that to itself so it may as well fix it.
Piracy is still often the easy way out for me now that I have the *darr collection set up. There was a short time where practically every streaming show was on Netflix and piracy was the stupid, difficult way to watch shows, and I actually kind of liked it. Then the industry had to fuck it up for itself by splitting off in a million different subscription services.
Hell, nontechnical people still resort to piracy despite their inability to use torrents. For many, 123-super-movie.entertainmenttonite365.biz or whatever you call it is good enough. These websites, seemingly designed as a benchmark for adblockers, are hard to find or navigate but are still considered better alternatives than the restrictive, annoying, often expensive streaming services.
My theory is that that's for one simple reason: you can find a link on Google and just start watching. No need to open seven different apps and do the search over and over again, waiting several seconds for animations and sign-ins.
Some people may do it purely because they don't have the money to spend 20 dollars on watching two episodes of a show, but the same was once true of music and Spotify mostly fixed the music streaming market for consumers, and youtube caters to the rest. Even the people using weird streaming sites don't download mp3s anymore!
sigh you can lead a horse to water. Look around you, notice that people are not pirating en masse. People prefer to just pay for Netflix. But piracy is so easy! How could this be? Could it be... you're wrong?
I want to signal boost this a bit because it's so incredible once you see it. The "arr stack" is a suite of interconnected software that automates finding pirate media by integrating with a HUGE number of ways to search for torrents, Usenet, etc. It's all self-hostable and with Overseerr as "pick what to download" frontend and Plex as the media viewer, it works so well that it's a genuine Netflix replacement, so easy that parents can use it.
So, it’s easier for me to go through the trouble of finding a good torrent with seeds that download fast than just paying for Netflix and automatically stream to my iPad while I’m at the airport?
getting what you want fast. It is literally that easy & netflix messes it up with being nondeterministic and screaming at me trailers I've never asked for. My autistic self is o.u.t.
Netflix is designed this way because most of the time people don’t know what they want. So it’s a browse, not a search, interface. But it has search so I don’t really understand why it’s a problem to see things you don’t care about for a second before searching.
Other services are browse-mainly, too, but are far less annoying than Netflix. Their UI being so goddamn obnoxious for so long, with apparently no intent to ever change that back to something sane, was part of why I cancelled recently after being a subscriber since the DVD days. (Yes, I used the "stop autoplaying, jesus god who could possibly want that" option they finally added, but it didn't seem to affect all platforms, or else they reset it at some point, I dunno and I wasn't paying Netflix so I could go find out how they screwed it up)
Like, it's terrible specifically for browsing, so its being oriented around browsing isn't really a defense of how shit it is. Sitting there chatting with someone about what to watch and you have to keep moving from thing to thing constantly or it screams over your conversation and/or shows you spoilery, distracting shit. WTF. A few others autoplay or play clips/trailers but without sound, which still sucks but is at least better. I shouldn't have to slam the mute button every time I return to the menu just to keep Netflix from doing stupid crap it shouldn't do in the first place.
Better filters instead of permanently inventing new "categories".
Allow me to filter (and sort results) by playtime, IMDB/Letterboxd score, original language, whether I have watched it before, ect.
If I don't already know the name of a movie, I just need Netflix to show queries like "a French movie shorter than 2:20h with at least 3.5 stars on Letterboxd".
FYI you can turn off the auto-playing ability of trailers in your settings on the website. They will then take affect in any Netflix app you use, too. It's stupid you can't set it from the app, but I turned off autoplaying trailers the day it came out and have liked using Netflix a lot more since then.
Many judge success on this by "do i get 1080". I've found this to be incredibly deceptive for nix and DRM on netflix.
My experience has been that even managing 1080 on a nix platform the experienced quality is substantially worse. Thoughout I was going insane, but checked bitrate and sure enough netflix at 1080 was streaming at much lower rate than on windows 1080.
The article mentions there are three levels of Widevine DRM. I wonder if the level available to Linux (three) not only limits resolution but bitrate, at least as far as what Netflix is willing to serve.
I jumped through all the hoops suggested at the time by the various get netflix to work on linux guides. Extensions and right browser and DRM enabled and whatever other stuff they recommended.
No dice on comparable quality.
I should add that there is always the possibility that there was some gfx driver or codec dynamic at play that I don't understand...but ultimately if it's visually noticably worse that's a fatal flaw regardless of reason.
When you say “security through obscurity” there’s a certain understanding that we’re drawing a line between implementation secrecy (obscurity / obfuscation) and key secrecy. If we extend the word “obscurity” to include the notion of physical security, I think we’ve gone too far—even if physical security is just the physical security of a secret embedded in silicon that you have physical access to (because it is super difficult to recover secrets from silicon).
With DRM the user who owns the machine is the "attacker". The keys have already been handed to the user, he only needs to get them out.
This is like hiding an API key in a public website's javascript with rot13. Very much security by obscurity.
Proper security means that the attacker should never be in possession of the key.
The standard for cryptographic security is that the attacker can do no better than brute force. And the complexity for that is usually set high enough that it is out of range for the entire computational capacity of our civilization for years to come.
I'd say handing the key to the attacker in a package that requires somewhere between a skilled reverse-engineer and a semiconductor lab to untangle falls far short of that standard.
While cracking the hardware is an interesting technical challenge, it is certainly not the only method. Security is only as good as the weakest link -- the human factor. Thus, piracy groups are able to use social engineering to crack Widevine without relying on advanced laboratories. See [1].
The same goes for the HSMs that power the internet's certificate authorities then. If there were a precise enough CT scan that could read the current state of atoms and flash, we'd have a major security problem.
The only reason L1 doesn't prevent people from pirating 4K HDR movies is because the Nvidia Shield has a bypass, and Google is too afraid to revoke its keys (or maybe Nvidia is paying millions of dollars a year to rights holders for their 'lost sales' from pirated movies at the hands of the Nvidia Shield).
At the end of the day, the user's hardware/software has to be given a decryption key for the content, and the DRM scheme is all about obfuscating that encryption key so that users can't find it.
Sort of, within constraints. L1 both decrypts and decodes, so you can’t really use it as a pure decryption oracle, but it doesn’t matter if you’re going to re-encode it anyway.
Not that it really matters, since HDCP has been cracked. There are a lot of holes here and a lot of problems with DRM.
Eehhh at the end of the day, L1 is still almost impossible to bypass and hasn't been broken in years. So it still works, meaning it doesn't really matter even if it's security by obscurity (I dont think it qualifies for the term but anyways).
L1 has been bypassed by piracy groups for years (through social engineering). They just don't share the keys publicly because it would give their opponents an advantage. See [1].
True, I didn't realize those were l1 keys. I'll have to read up on the revocation mechanism, if there is any. I'm also wondering how those keys usually leak. Is it through vulns, or just exploiting unsecure key handling?
Circumventing higher levels of Widevine has been unnecessary until now, since the HDCP protecting the inevitable HDMI video output has been thoroughly cracked. Pristine 1080p and 4k copies of Netflix content is widely available.
> since the HDCP protecting the inevitable HDMI video output has been thoroughly cracked
My impression is the stuff coming from the various streaming services is not captured and reencoded, but direct bit-for-bit copy of the original H.264 (or H.265) encoding (sans DRM). (Yeah, others will do reencodes later but quite a bit of the source material encoding comes directly from the streaming sites.)
You're right that there is plenty of directly stream-ripped content out there, presumably using cracks of various levels of Widevine. The makers of these tools and the groups using them tend to keep quiet about the details of the precise exploits they're using, for obvious reasons. Ultimately, there's no shortage of DRM-free 4K content, whether from streaming services or Blu-Ray, since there's always a weak point in the chain somewhere.
Yeah. With blurays, you can always extract the device key out of some Bluray player. It's an extremely poor user experience for bluray consumers to have their devices stop working for new movies, so my impression is these keys aren't blacklisted all that quickly. For the streaming sites, I have no idea. But, yeah, the cleartext bits need to get in front of the user eventually.
BluRay has two security systems. One is based on key revocation (AACS) and one is based on embedding programs written by companies contracted by the movie studios which do dynamic detection of rippers. AACS failed almost immediately because indeed, keys leaked faster than they could be revoked. BD+ proved much harder, at least in the early years. But it was only ever designed to last about 10 years according even to the sales pitch of the designers and it's older than that now, so I wouldn't expect it to be all that effective anymore especially since Intel pulled SGX from their client chips.
Capturing video via HDMI is less than optimal, since you then have to encode a 2nd generation lossy copy. Ideally, you want to decrypt the original audio and video streams before they've been decoded and sent to the display.
I believe that L2 would be weaker than L3 in practice, which likely explains why I've also never seen it implemented (If you know about an L2 instance I would be genuinely interested in taking a look)
According to the descriptions I can find, L2 does cryptography in secure hardware, but video decoding in software. (as opposed to L3 that does both in software, and L1 that does both in hardware).
In L3, you can obfuscate the cryptography and the video codecs together as a unit, blurring any defined border between them. A determined reverse-engineer can inevitably unravel that obfuscation, but it's non-trivial.
In L2, there must be some interface between the hardware and software components. That interface presents itself as a very obvious weak point. As an attacker, all you'd have to do is watch the data flowing out of the cryptography hardware, and into the video decoder software, and you'd be able to siphon out the plaintext video data.
(To be clear, this is entirely "in theory" because I've never seen an L2 implementation)
security through obscurity is generally not about keeping a well known encryption scheme's keys "private". It's generally about not knowing how a system works at all. In this case (and the same for blurays actually), we know exactly how the system works, given the keys we could decrypt the content, but the keys are kept "well" protected (depending on widevine level, different levels of protection). In BluRay land enough player keys have leaked to make it basically irrelevant. It's also harder to determine whose keys are being used to decrypt, making it harder to revoke. In an online widevine world where one has to use one's baked in device keys to get the content key, its much easier to determine if a single device's key is being used an abnormal amount of time and then revoke it.
while one can view the efforts to protect a widevine l3 key as security through obscurity, its mostly there to make the effort hard enough that most people are interested in doing it, than to keep it perfectly secure.
> Or rather, that was all true at the time when I first investigated Widevine-on-Asahi, several months ago. A few weeks ago, Google decided to enter the 21st century and started shipping aarch64 userspaces on certain Chromebook models. This means that "Widevine-in-Chrome-on-Linux-on-aarch64" does exist. The ChromeOS blob extraction process works as before, and the Pi Foundation conveniently packages it as a .deb for Pi users.
Not the point of the article but this is great news that I learned just now. I can finally upgrade to aarch64 chrome on my Raspberry Pis.
Anyone who knows some technical detail about Widevine, please could you explain what is the difference between L1 and L3 (other than resolution/quality)?
How does each interoperate with EME?
And what sort of process would one need to do, to be able to view an L1 stream on a bespoke Linux distribution, rather than the L3 stream that this person received? How difficult is it to do, and what are the specific challenges?
Levels are primarily about various kinds of hardware protection, I think. The lowest level just uses ordinary software obfuscation in the widevine library that this article is about, and regular updates to change the media keys.
Higher levels integrate more with special hardware "APIs" of various kinds. I think you generally cannot play the highest levels on PC hardware at all, it's more meant for Apple TVs and other such devices. Other levels may require things like the Windows protected media path, which lets you upload encrypted video data to the GPU and then it's up to the GPU firmware to decrypt it. So then it becomes a question of understanding how the GPU is decrypting the data and defeating that.
I was looking into this very problem yesterday! Terribly scared by widewine, I ended up building webkit with eme support enabled, then enabled the relevent setting in the nyxt browser. Seems to be working fine so far.
> Most streaming platforms will limit you to only "HD" content on L3 (as opposed to 4K on L1). On Netflix, this upper limit is 1080p (although it might depend on the specific content you're trying to watch?), but you are further limited to a mere 720p by default. For some reason, you can only get 1080p if your client asks nicely for it (at the protocol level), and there are browser extensions that do this for you automatically.
Netflix quality is crap on Linux, I just torrent everything as it is simpler and I can use a player that allow me to put the subtitles where I want. I know I say this bluntly but I came to a point where I cannot get all this nonsense about not trusting the user. I buy music on band camp that I do not "distribute". I do not believe removing DRM would yield to higher unauthorized distribution.
Also do not be fooled by resolution, low bitrate 1080p can look worse than 480p, and many services are quietly throttling bandwidth.
I don't remember about Netflix but Prime Video on Linux was capped to HD resolution (at least one year ago) so I went back to that thing that is more convenient and free.
That's why Netflix content is available almost immediately on any decent tracker. The quality would not look nearly as good if it was grabbed using a capture card.
Like others have mentioned, it's security theater for the content owners who most likely require Netflix to have DRM in place in their contracts.