[mythtv-users] Be vewy, vewy quiet! We'a huntin' pirates! hehehehehehe!
Sam Varshavchik
mrsam at courier-mta.com
Thu Jun 21 23:06:29 UTC 2007
I heard that there supposed to be a forum on zap2it, but, I dunno, it looks
to be broken to me. After succesfully logging in, if I click on "Form Home",
I just get thrown back to the login screen. Oh, well.
I believe that it is possible to implement technical measures to prevent
wholesale piracy of program guide data, yet allow legitimate usage by
MythTV, with some minimal impact.
It does require some overhead on the part of their servers, but, BUT, in
exchange they'll get their hands on some additional demographical data.
Specifically: who is subscribed to which programs, who is searching program
guide for which keywords, and who is watching live TV (but not which
channel), and when, approximately. I have no idea if this extra
demographical data is sufficiently valueable to them to offset the extra
load and development costs.
On MythTV's side there's also a bit of penalty to suffer. You have to be
connected to the Internet when viewing live TV, and keyword/title searches
require pings to the mothership -- but you need Internet access to grab
program guide anyway, so that should not be a problem, aside from a brief
delay waiting for the ping to come back with the necessary keys.
No, it's not what it seems at first glance. I think there's a clever way to
get this done with minimal per-event overhead (the sum total of everyone's
overhead is the unknown factor to worry about). The same approach can also
be used by a MythTV community-based program guide initiative, to prevent
piracy if some kind of arrangements are worked out to obtain program guide
data from a commercial sources and resell it to MythTV subscribers, at-cost.
If I was able to log on to their forums, I'd post the details of my proposal
there, but, over here I'll just give the capsule summary of my idea, and
I'll extrapolate further, if there's interest.
Here's how I see things.
You need to be able to discriminate between wholesale theft of the entire
program guide, versus normal usage by MythTV. If this is going to be a
technical solution, you need to have a technical distinction, to exploit.
Specifically, a technical distinction between a legitimate subscriber, and
the pirate.
Here's what I think is the technical distinction. With wholesale theft, you
need to grab the details of every program, on every channel. You need to
"use" everything from the program guide.
On the other hand, look at an individual MythTV subscriber? What does he/she
"use"?
As far as I can tell, you and me only "use" program details about stuff we
record. You and me also need to do simple keyword searches, and perhaps get
quick snapshots of abbreviated program titles for short blocks of time, to
display the channel grid.
That's the difference. We do not need to really know the details of all
programs on every channel, 24x7. Just the stuff that we watch. That's the
technical difference between us, legitimate subscribers, and whoever's
stealing and reselling whole program data. That's the key difference that
the technical solution can explot. Here's how.
Encrypt program guide details with a symmetric key. A unique key for each
subscriber, time, and channel. Require a ping to the mothership, to grab the
key for the program whose full details you want to open. Anyone who tries to
grab the details of every program in the guide is going to stand out like a
sore thumb.
On the server side, you do //not// need any kind of a database dip to give
back the right key. There are some tricks you can use to pull this off. The
symmetric cipher key is a known secret, to both MythTV and the mothership.
What the server returns the initial vector, to feed into the symmetric
cipher decryptor function. And the initial vector is a hash of the
subscriber ID, the time, the channel, and a secret salt known only to the
server!
If anyone's familiar with how syn-cookies anti-DDOS defense in the Linux
kernel works, this is the same general idea.
You don't need to validate the subscriber ID. Just take the request, run all
variables through MD5/SHA1/SHA256/whatever, send back the results. Done.
MythTV now knows everything needed decrypt just this individual program's
details.
You still need to do searches. How do you search the program guide, if
everything's encrypted? I think there's a way to do it. Also, the same
solution also works for grabbing a small time slice's worth of abbreviated
program titles, to throw up on the screen.
But, I've had a long day at the office, and I need to grab some dinner.
Anyone listening? No need to spill more pages of electrons, if they'll all
going to waste. My final thought, for now, is that I'm not fooling myself.
Even if everyone agrees and begins working on this now, the necessary bits
are unlikely to get done by the deadline. But, I think that the overall
problem is doable, at least in theory.
What I'd love to know is whether or not TMS did consider a similar solution,
but rejected it due to the overhead/development costs, or if they simply had
no resources with background in cryptography/information security, that
could design such a scheme. It would be a real shame if they chose to throw
in the towel just because they just couldn't figure out how to safeguard the
data, even though, I believe, it is technically feasible. It's one thing to
reject it based on the cost/benefit analysis. It's another thing to give up
just because you didn't have the technical know-how.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mythtv.org/pipermail/mythtv-users/attachments/20070621/d5e63358/attachment.pgp
More information about the mythtv-users
mailing list