[osflash] osflash - Adobe uses DMCA on RTMP
Luke Kenneth Casson Leighton
lkcl at lkcl.net
Tue May 26 09:27:18 PDT 2009
folks, my apologies for breaking the threading, i'm replying externally.
replies to various snippets here:
> I think Adobe does this only to publicly show to its clients/partners
> that they do everything they can to protect their content.
well then they fucked up royally this time, didn't they. if they'd
kept their fucking mouths shut and made sure that their lawyers dicks
stayed in their trousers, i wouldn't have been alerted to the
existence of RTMPE, would not have mirrored it, would not have written
up a spec, and would not have noticed that RTMPE is yet another failed
obfuscation attempt which achieves absolutely none of the stated
there's a _really_ good reason why SSL is used, and why SSL
certificates are used: it's to stop man-in-the-middle attacks. you,
dumb-shits (yes, you, adobe-shits) - the use of Diffie-Hellmann on its
own is WELL KNOWN to be vulnerable to man-in-the-middle attacks, and
it requires some form of PKI infrastructure (such as SSL certificates)
to stop that happening. if your fucking stupid employees had bothered
to read up on the basics of cryptography, they would have known that.
even i didn't know until two days ago that diffie-hellmann when used
on its own suffers from MITM vulnerabilities, but reading the _very_
first web page i encountered (which is on rsa.com) told me all about
secondly: the use of "magic constants" is NOT an "encryption key". if
it's publicly available, and it's unchangeable, it's not a key, is it?
it's a ... what is it? coonnstaaaant. cleever peeopllle.
thirdly: the use of the SWF file hash and size as a "verification key"
is incompatible with claims that this somehow magically stops people
from being able to download content. wronnggggg. anyone who has the
SWF file hash and size can, in fact, download the content, simply by
knowing, well... the SWF file hash and size. they do _not_ have to
actually execute the SWF file itself.
so you are back to the "Trusted Client" issue. quoting
"Trusted client software is considered fundamentally insecure: once
the security is broken by one user, the break is trivially copyable
and available to others."
hmm, that's an interestingly flawed statement, there, on wikipedia.
the assumption is that anything that is running client-side can be
made secure _at all_. but... leaving that aside...
this latter is where adobe is in deep shit. their claims and the
reality expose them to legal liability for having deceived their
customers about the level of security (i.e. - there _is_ none).
juan further writes:
> Even though they knew in advance the code and keys will be mirrored
> all over the internet in a matter of days, as it's has happened.
it's clear that adobe has a team of "fuck-all-else-to-do" lawyers who
should, really, be fired preferably out of a cannon at adobe's
earliest inconvenience. they're not paid to think strategically.
they're not paid to think in the best interests of adobe. they're
paid to think of ways that they can utilise the law, regardless of
so i think, juan, that you're giving adobe's shit-for-brains "oo look
there's a project that implements what we like to call 'our shit'
let's go bully them" legal team far more credit than they deserve.
> The silence from Adobe on this thread is deafening.
i'm guessing that even without their management telling them what to
do, they're probably going "ohfuk." actually, you'll probably find
that quite a few of them are wishing they could take their lawyers
and/or management outside and beat the crap out of them with baseball
bats, and that quite a few more are killing themselves laughing.
andru further writes a lot of questions:
> What does this mean for Open Source Flash?
business as usual.
> Are we now forbidden from ever having full interoperability?
no, because there is no basis for the DMCA takedown notice (imo)
1) given that there _is_ no security
2) given that the measures used are so basic that they will be
_plenty_ of prior art
3) not least of all is the fact that there has not been an actual court-case.
only a _judge_ has the right to FORBID you from implementing full
interoperability, not a snotty illegal letter from adobe.
> Will some sites be forever unusable by Open Source players?
only if you cower before the god that is adobe, o great adobe, i
quail at the mere thought of offending your shit-ridden name (tm).
> Are other Open Source projects that implement RTMP in the cross hairs?
if there are then they only have to write to help @ softwarefreedom .
org and the team there will be instantly all over adobe.
> The implications of this move are profound,
not for us, they're not. the only profoundness is how profoundly
stupid the move was, by adobe.
> the people on this mailing
> list are the ones most likely to be affected, and we desperately need
> some clarification from those of you who work at Adobe.
no you don't :) you don't need adobe holding your hand and telling
you how to make innovative free software that will itself encourage
adobe themselves to do better.
> Every minute
> that you stay silent, you are contributing to the fear that this move
> has associated with using the Flash platform.
it's not fear, it's anger.
the backlash against the stupidity of illegally using a pointless law
for bullying purposes leaves people going either, "how can we make
these people irrelevant? oo, HTML5 has video streaming! great! let's
make that better!" or going "fuck you, adobe, we're going to implement
RTMPE despite your illegal use of a DMCA takedown notice".
if you do that, as one free software project already successfully has
in the past 36 hours, and another has made it clear to me that they
intend to do so in the next few weeks, and Adobe decide to get
stroppy, then eben moglen has already made it clear that the Software
Freedom Law Centre will help out.
thank you - added to the list :)
> That baby picture is just the cutest....
thank you :) i wonder how she'll react when she's a teenager, "ooo
were you that cuute baby in the adobe fiasco? aww, little daarliiing."
i mean, it's enough when family does that - strangers too? mwahahah.
More information about the osflash