Just hours after the BBC said it had fixed the iPlayer streamed TV service to prevent DRM-free file downloads, a London-based programmer has bypassed the new protection.
Paul Battley, a developer for crowd-sourced reviews site Reevoo, wrote on his blog on Thursday that he had "defeated" the fixed iPlayer code.
"BBC News proudly announced the BBC's victory over those of us who had figured out how to download their iPhone iPlayer streams," wrote Battley. "I am happy to announce that I've defeated them once again!"
Speaking to ZDNet.co.uk on Friday, Battley said that he had asked a colleague to use an iPod Touch, combined with a debugging proxy, to watch communications made by a legitimate iPlayer access. Battley then used plug-in requests to look through the Javascript to work out the changes that had been made to the iPlayer code. He then rewrote his own original Ruby iPlayer interface "hack" code.
"I did it mostly for entertainment and for the challenge of doing it," said Battley. "Also, I'm a Linux user, and the BBC iPlayer originally was only for Windows — I felt a bit alienated. The BBC released the iPhone version of iPlayer, and there's no Linux support."
Read this
Special report: The top five internal security threats
What should an employer watch out for?
Battley added that one version of iPlayer does stream to devices that can use Flash Player, and that Flash does work on x86 versions of Linux. However, unhacked versions of the iPhone don't have Flash capabilities.
The iPlayer hack released on Thursday can run on Linux, Windows and Mac operating systems, Battley claimed, and circumvents Windows-based digital rights management. Legitimate iPlayer downloads expire after a fixed time-period of 30 days on a PC. In a test on a Ubuntu desktop PC, ZDNet.co.uk confirmed that Battley's program works as claimed, successfully downloading an unencumbered copy of the TV programme 10 Days To War — These Things Are Always Chaos and playing it on the non-Windows DRM-compliant VLC video client.
The BBC had not responded to a request for comment at the time of writing. However, in its story announcing that the iPlayer had been fixed, the BBC stated that it expected people to hack the iPlayer again.
"The BBC admitted that it was most likely facing a cat-and-mouse game with hackers intent on circumventing copy protection," said the BBC story. "It's an ongoing, constant process and one which we will continue to monitor," said the corporation in a statement.
Thanks to reader dogStar for alerting ZDNet.co.uk
Talkback
I'm still waiting for the day when, as a UK resident paying a license fee but working in France, I can use iPlayer (not to mention the rest of the BBC web site). After all, I've helped *pay* for it all.
Next time I'm home I'm leaving behind an old laptop running as a proxy server. A shame I have to go to such lengths to be able to watch and listen to things I feel I have a legal right to.
Wouldn't the BBC need access to the TV license database to do what you're requesting? And then ask overseas users to enter their TV license number or something before being allowed access to the site? And what would you expect to happen if your license number seemed to be being used by people other than you?
Or were you hoping more for a checkbox like: "Are you a UK TV license payer? (Y/N)"?
I don't know what the relationship is between the Beeb and the licensing authority. However, I can't see it being that hard to have a one-off registration resulting in a login that can be used anywhere. The police are allowed to access the DVLA database, for instance, and the two organisations aren't otherwise related.
Sure, there's the issue of people passing it on to friends/relatives abroad but doesn't that happen with enough systems already? Besides, if all else fails there's always BitTorrent. I don't mind admitting I've been using it to keep up with programs from home I can't otherwise watch, such as Match of the Day. It'd just be nice to watch it live instead of having to wait a day or so for some kind person to upload it.
It just strikes me as amazing that in this day and age with borders (electronically) coming down so readily, we have stumbling blocks like this. Some of the content the BBC won't allow to "foreigners" include simple web content. Try visiting the Spooks web site outside of the UK - none of the content is available - you can't even check the episode guide.
I sympathise with them on the likes of football coverage - the license restrictions are out of their hands - but are the losing out financially on someone in, say, Germany wanting to find out what season if Spooks we're on? Other program sites aren't affected. All very strange.
I love the BBC. I think that we're fortunate to have it as it produces some of the best drama, comedy and documentary programs in the world. It's simply frustrating funding it and not being allowed to (legally) watch the stuff.
The succession of hacked/patched/hacked/patched/hacked stories, whilst very exciting, have two fundamental flaws:
1) The BBC's so-called 'copy protection' for the iPhone is merely 'security through obscurity'. It's all based around 'identifying' an iPhone from characteristics of its web-browser. Describing cirmcumventing these trivial and shallow techniques as 'hacking' is a very long stretch of the imagination. All very good for distracting readers from the real story - people won't ask questions about what this *really* means if the are spun an exciting story about system 'hackers' in some escalating war with the BBC.
2) THERE IS NO DRM INVOLVED IN THE iPhone's SO-CALLED 'COPY PROTECTION'. The BBC's 'Future Media' department have consistently claimed that they cannot do a cross-platform iPlayer because of the DRM requirement, and have consistently claimed that the DRM requirement means Microsoft DRM.
The BBC, by their own actions, have invalidated their single biggest argument for not creating a cross-platform iPlayer.
Naturally, they are not exactly trumpeting the fact they are quite happy to drop the DRM for a 'favoured' platform (oh, and btw, what are the relative numbers of iPhone users to Linux users?).
The press attention on the 'hacker' wars is perfectly welcome - it keeps the questions away from the *real* story here...
A TV Licence is required to watch live broadcasts ie. News24 via the BBC website, but is not required to watch 'catch up' ITV, or BBC iplayer programmes. BBC have stated that the number of people without TV Licences and with High Speed Broadband is extremely small, that it is currently not an issue for TV Licencing Revenue.
TV Licencing have stated they would prosecute individuals watching live transmissions regardless of the method of receiving the live transmission, ie. Broadband enabled Live broadcasts.
And the rationale for wanting access was that they were still paying the UK license fee.
...not just live feed, or indeed programmes. Also other web content, such as the Spooks web page. All of which I've helped to fund, none of which I can access outside the UK (short of setting up a proxy server back home and running through that all the time).
This is an interesting set of statements, and I have an idea what the thrust of your argument is. However, if you could clarify what you mean, that would be great.
1. Who is spinning what, exactly, and why?
2. How is the iPlayer employing "security through obscurity"?
3. How do you use the word 'hack'? Do you mean the word 'hack' should only be employed by the media when the subject is the serious compromise of computer systems? Can it not also be used to describe a workaround?
4. What do you mean when you say "there is no DRM involved in iPhone copy protection"?
5. What is the "real story" here?
Best,
Tom
Tom,
Of course, more than happy to clarify:
1. Who is spinning what, exactly, and why?
BBC, the story, distract attention and damage control.
2. How is the iPlayer employing "security through obscurity"?
Specifically, the iPhone client is employing "security through obscurity". There is no DRM involved, it is an entirely unencrypted MP4 stream, the 'copy protection' is *not* copy protection, they are simply relying on the particular characteristics of the browser installed on the iPhone - relying on nobody else knowing the characteristics of a browser is, how to say it... 'unwise'
3. How do you use the word 'hack'? Do you mean the word 'hack' should only be employed by the media when the subject is the serious compromise of computer systems? Can it not also be used to describe a workaround?
To an extent we're just talking semantics here, and of course these are arguable. Personally, I don't believe this circumvention warrants the term 'hack', but not really my point. To the wider world the terms 'hack' and 'hacker' have negative connotations. If the real story is that the BBC have double standards where it comes to DRM, the attention on the 'hacker war' will cover this up.
4. What do you mean when you say "there is no DRM involved in iPhone copy protection"?
I mean exactly that. There is *no* DRM involved. As the BBC will themselves admit when pushed, the DRM is *added* at the last minute in the case of the Windows XP client. The 'stream' to the iPhone is not a stream, it is a simple MP4 file (which is why it is being downloaded).
5. What is the "real story" here?
Simply this.
The BBC have been claiming that the reason they could not produce a cross-platform iPlayer was DRM. They used this excuse to the press, the BBC Trust, to OFCOM, to the Open Source Consortium, and to everyone.
They claimed this was absolutely non-negotiable.
And yet here, we *clearly* have the BBC violating their own rule.
So what is it to be, BBC? One rule for the iPhone and another for every other platform?
Is DRM essential for the iPlayer, or is it not?
Somebody, somewhere is not telling the whole story...