CENTURY CITY, Calif. — While attending the recent NAB Show in Las Vegas, Sean Flynn, chief technology officer for Marvel Studios, repeatedly heard (“Too many times to count”) that content creators should simply trust their cloud service providers.
That’s advice every content company would be wise to ignore, he said April 22, speaking at the Hollywood IT Summit.
By Chris Tribbey
Undetected for two years, Heartbleed is estimated to affect a full two-thirds of Web servers on the Internet, compromising everything from passwords to credit card numbers.
The Content Delivery & Security Association (CDSA) asked Stephen Bono, owner of technology vulnerability testing company Independent Security Evaluators (ISE), and ISE executive partner Ted Harrington, about the severity of Heartbleed, and what steps businesses need to take to protect themselves going forward. Read more
By Chris Tribbey
A keynote conversation with professor Jonathan Taplin, director of the University of Southern California’s Annenberg Innovation Lab, is just one highlight of the Hollywood IT Summit, coming up April 22 in Los Angeles.
Tackling hardware and software platforms, big data and data analytics, vendor management, network connectivity, software as a service (SaaS) and more, Hollywood IT Summit panelists include the top chief information officers and chief technology officers from the major Hollywood studios.
More than 450 industry executives attended the event last year when it was held at Pepperdine University, and more are expected next week when the venue shifts to the Hyatt Regency Century Plaza.
By Chris Tribbey
LAS VEGAS — Justin Somaini, VP and chief trust officer, for online file sharing and cloud content management service Box, believes companies that deal with the secure delivery of content in the cloud are finally starting to ask the most important questions when they take on a new client.
“What’s the actually value of their content [and] what is the impact of a security failure?” he said April 9, speaking at the annual NAB Show during a panel on cloud reliability and security. “A script is just a file for all intents and purposes. But movies are there to get an emotional reaction.
“Ask a director, and it’s more than a script. [It’s] lightning in a bottle.” Read more
By Chris Tribbey
In February the Advanced Access Content System Licensing Administrator (AACS LA) — the industry consortium that licenses copy protection used on Blu-ray Discs — won a legal judgment against a long-time foe.
On Feb. 21, a court in St. John’s, Antigua and Barbuda, found Giancarlo Bettini, owner and founder of DRM-circumvention software company SlySoft, guilty of violating the nation’s copyright law.
According to AACS LA attorney Bruce Turnbull, it was the first time the twin-island Caribbean nation invoked its criminal anti-circumvention statute, 11 years after the law was first established. And the $30,000 fine against Bettini isn’t nearly as important as the precedent the ruling sets, Trunbull said. Read more
By Chris Tribbey
Hollywood has seen its share of recent successes in the fight against online piracy, with the successful shutdowns of file-sharing sites Megaupload and Hotfile.
But while those sites were culpable of copyright infringement — blatantly hosting copyright-protected files — a new app-based offering could prove to be the toughest test yet in the industry’s fight against online piracy. Read more
A week before the Oscars were handed out March 2, online BitTorrent tracking site TorrentFreak already had Best Picture winner 12 Years a Slave as No. 1 on its list of most recently pirated films.
After the Oscars it only got worse: after 12 Years a Slave won the most coveted award in Hollywood, illegal downloads of the film tripled the next day, with more than 100,000 week-over-week additional illegal downloads, according to TorrentFreak’s data. Read more
By Chris Tribbey
Richard Atkinson, the global director of piracy conversion for Adobe and newly installed chairman of the Content Delivery & Security Association (CDSA), offers his thoughts about the direction of CDSA, the security threats facing the industry and the roll of government in fighting cyber security threats. Read more
By Chris Tribbey
John Landgraf, CEO of FX Networks, had every reason to be upset when he recently ran across a piracy site offering a free stream of Avatar. And not just because it was stealing the property of sister company 20th Century Fox.
Running right alongside that illegal Avatar stream was a commercial for Volvo, Landgraf said, speaking at a recent conference. When a major brand has ads appearing on sites that deal in piracy, it offers legitimacy to those profiting off illegal content, he said.
Ribose has achieved certification for Content Protection and Security (CPS) from the Content Delivery and Security Association (CDSA). All audited areas were rated as Green, which indicates full compliance and a low level of risk. Ribose is the only collaboration platform worldwide to have achieved CPS certification. Read more
By Chris Tribbey
The Content Delivery & Security Association (CDSA) Board of Directors has elected Adobe’s Richard Atkinson as its new chairman.
Atkinson, the global director of piracy conversion for Adobe, takes over for Microsoft’s James Dunkelberger, who led the organization the past two years.
“To me, CDSA is one of the few associations that stitches together the entire entertainment and software industry, from movies and TV, to games, to music, to software,” Atkinson said. “All of us have many things in common when it comes to content security and distribution, and it’s my intention to continue to drive CDSA in ways we can leverage and learn from the great knowledge and leadership that is spread across the industry.
Communications technology company Level 3 ended the year in fine fashion, posting a fourth quarter profit of $14 million, compared to a loss of $56 million during the fourth quarter of 2012.
The results came despite a minor drop in quarterly revenue, $1.6 billion for the fourth quarter of 2013, compared to $1.61 a year ago. The drop in revenue came from a decline in wholesale voice services and other revenue, down to $159 million from $223 million a year ago. Read more
By Chris Tribbey
Less than two months before passing away at the age of 68, film producer Tom Sherak told a gathering at the Content Delivery & Security Association’s (CDSA) Content Protection Summit that as “film czar” for the city of Los Angeles, he would take on runaway production costs for films and TV shows made there.
But he also had his eye on another problem facing the industry.
“I actually see piracy as a much bigger issue,” said Sherak at the Dec. 12 event. “The things we are doing trying to protect [content] are expensive and have to be done, but piracy has become ingrained in the younger generation. [They believe] that content is not owned. It’s theirs.”
By Chris Tribbey
Bill Frack, managing director of L.E.K. Consulting, has both good news and bad news for the media and entertainment industry.
His firm estimates there are 42 million people in the U.S. who pirate content, amounting to a billion pieces of content that are being illegally viewed. The good news? Nearly 95% of those people pay for content as well.
Those “dual consumers,” as Frack calls them, “One of the key things to being successful is understanding your customer, and to understand this problem, you have to know the customer,” Frack said, speaking at the recent Content Protection Summit, produced by the Content Delivery & Security Association. Read more
David Lowery Delivers Afternoon Keynote at CPS 2013 – Next Week’s Event Covers Security, Piracy and Everything In Between
By Chris Tribbey
David Lowery is on a mission.
The frontman for the bands Camper Van Beethoven and Cracker and researcher and lecturer at the University of Georgia has become one of the more polarizing figures in the movement for musicians’ rights in today’s Internet age, quickly becoming a leading voice against online sites that make a buck off music lyrics without paying songwriters. Lowery will be the afternoon keynote speaker Dec. 12 at the 4th annual Content Protection Summit, presented by Variety and the Content Delivery & Security Association. The daylong event will be held at the Four Seasons Hotel Los Angeles at Beverly Hills. Read more
CDSA Releases Updated Version of its Content Protection Security Standard, Making Ongoing Improvements to its International Certification Program
NEW YORK — The Content Delivery & Security Association (CDSA), the international association advocating the secure and responsible delivery and storage of entertainment, software, and information media, announced today the release of an updated version of its Content Protection and Security (CPS) Certification Standard.
“The new Standard provides a more consistent approach and enhanced security processes. Importantly, the accompanying guidance documentation now features a detailed gap analysis between our Standard and the ISO 27001/2 and the MPAA Best Practices, which streamlines the certification workflow for companies undergoing multiple audits and provides a better understanding of our program to the industry as a whole.” said CDSA’s Worldwide Director of Anti-Piracy Peter Wallace.
CDSA’s CPS standard enables media and entertainment service providers of any size or scope to minimize risks associated with handling, storing, and delivering both physical and digital entertainment media. CDSA’s unique model works in partnership with content holders and their service provider partners to provide regular updates and improvements based on industry review and feedback.
The Content Protection & Security (CPS) Standard has been in widespread use for three years and is now an integral part of the security processes in over100 sites worldwide. Since being published, it has been successfully implemented in a range of physical and digital supply-chain companies including replication/distribution, post-production, digital cinema, e-Commerce, and cloud computing services.
For more information about the program visit www.CDSAonline.org or contact Peter Wallace at pwallace@CDSAonline.org.
Last month CDSA had the pleasure of attending an Open House event thrown by Los Angeles Duplication & Broadcast (LADB) at their Burbank facility that is right across the street from Disney. It was a high-end affair with a tented red carpet entrance, exquisite hors d’oeuvres and a well-dressed army of servers and valets. Eric Collins, LADB’s president and co-founder, was giving hands on demonstrations of their ultra-secure and monitored mobile delivery unit and their staff offered tours for VIPs of their first class facility that handles a multitude of “just-in-time” services for their studio and broadcast clientele. Robert Seidenglanz, LADB’s co-founder, also took time to guide guests through their facility showcasing its expanded capacity due to an efficient workflow strategy that helps new and existing customers take advantage of their companywide customer service culture of being reliable, fast and cutting edge to deliver on just about any need proposed by a content creator or production unit.
It was a lovely evening but looking back on the event it is their business culture around quality and content security that keeps resonating. In the tented area outside of the front entrance their consultant on security, Tom Carlson, gave an overview presentation throughout the event on the strategy that he helped LADB create where a commitment to both quality work and security is a cornerstone to their value proposition to customers. In addition to being a CDSA certified facility, LADB has dual ISO certifications (9001 and 27001) and an obvious strict adherence to the MPAA’s best practices for facilities working with their member companies. LADB is one of the only small companies committed to this comprehensive, 3-pronged security approach that have been validated by third party oversight. What’s so impressive is how the structured process created around these industry standards/initiatives drives their entire business from the drivers and front desk staff all the way up to the senior management team. And, the idea that LADB understands the importance of risk and accept the stewardship role/responsibility against all risk threats with their customers content whether internal or external, deliberate or accidental demonstrates that LADB is a thought leader for smaller companies in the production chain.
What is also notable about their formal program and commitment around security is not only their internal practices on client satisfaction, quality management and education it is the idea that they have processes in place to continually improve both quality and security service delivery. By having a mechanism for monitoring and measuring each internal department (IT, HR, Operations, Purchasing, Sales) activity with client’s content, through both internal and external oversight and a commitment to change management, they are exemplary in approach with an eye to the future. This is critical for any business working in our industry – a commitment to continually evolve with the technologies that help the creative community make the best content in the most efficient and secure workflow possible.
For additional information on Los Angeles Duplication & Broadcast you can visit their website at http://www.ladb.com/
FFmpeg is a complex software project designed to process virtually every video format in existence. Video formats can be extremely complex as well, and writing a new encoder or decoder is an expensive and error-prone task. Application vendors instead use FFmpeg, a freely available library, to process video files.
Like most large, complex software libraries, security vulnerabilities in FFmpeg have been discovered and repaired in new releases. It should be noted that FFmpeg’s past vulnerabilities do not indicate a poor quality product, and the fact that a given system relies on FFmpeg should not be considered a security vulnerability.
FFmpeg is written in C++, which, compared to other programming languages, compromises some amount of safety in favor of high performance and speed. In particular, the C++ language does not inherently protect against buffer overflow attacks. Successfully exploiting an unchecked buffer vulnerability allows an attacker to rewrite the executable code of a program at runtime with different code of the attacker’s choice, allowing an attacker to take control over the computer.
An attacker can take advantage of unchecked buffer vulnerabilities by carefully crafting a malicious video file that may not even be playable or contain any frames or audio. When FFmpeg processes the malicious file, the vulnerability is exploited and the attacker’s code embedded within the video file is executed. Figure 1 shows how an attacker could take advantage of a publically accessible, vulnerable system to gain access to the backend network to which the vulnerable system is connected. If the backend network is not carefully segmented, this allows the attacker to bypass the firewall.
Figure 1. An attacker crafts a malicious video file and transmits it to a vulnerable system. As this is legitimate access to the system, it is not blocked by the firewall or other perimeter defenses. A successful buffer overflow exploit could provide the attacker with full control over the vulnerable system, providing a network pivot point to access and attack other systems on the backend network, even if they are not vulnerable to the particular buffer overflow attack and would normally be protected by the firewall.
The FFmpeg 0.11 version, released in 2012, fixed 28 vulnerabilities that were notable enough to receive a CVE (Common Vulnerabilities and Exposures) number. The utility and versatility of FFmpeg produce a “perfect storm” of potential security issues. FFmpeg supports 197 different file formats and 166 different video codecs. Each format requires its own module of code within the library to process it. Every file format provides a different potential attack surface for FFmpeg, and many of the formats are little-used or obsolete, and therefore not a source of many bug reports.
Attacking FFmpeg via an unchecked buffer vulnerability requires detailed knowledge about the target system. Buffer overflow exploits targeted at one platform will not likely succeed on another. Necessary information includes the type and version of the operating system, exact version of FFmpeg, and potentially more details, such as the compiler flags used when building FFmpeg. However, an attacker can fingerprint vulnerable systems in many ways, and in particular, ISE has found that the FFmpeg library embeds its version number within files when encoding them. If an attacker has access to a video file generated by a vulnerable system, then the attacker could most likely obtain enough information about the system to craft an exploit.
A reason for concern, is that FFmpeg may be used on systems processing sensitive assets, such as unreleased video footage. In addition to an attacker obtaining these assets, an attacker could use a vulnerable system as a pivot point to gain further access to customer or vendor networks, or could use the compromised system for unrelated illegal purposes, such as hosting pirated content or launching a subsequent attack.
Of note is the fact that once a system is successfully compromised, not only are all assets on the system at the time potentially compromised, but as long as the attack remains undetected, any additional assets processed by the system in the future may also be compromised.
Users of FFmpeg should take several steps to minimize risk. The simplest and most effective mitigation is to always update to the latest release of FFmpeg, especially when security vulnerabilities are found and patched. Keep in mind that developers using FFmpeg cannot reasonably be expected to update instantaneously when a new release is issued, and there is the potential of zero-day attacks (those discovered and used by attackers but not yet known to the software provider). As part of a general defense-in-depth strategy, systems utilizing FFmpeg can take additional precautions:
- Applications that process external inputs (such as uploaded files) should always run on a low-privileged user account. They should never run as root (on Unix) or an administrator (on Windows).
- Compiler and operating system features that help to prevent some, but not all, buffer overflow exploits should remain enabled.
- Sensitive assets (e.g. video content) should never be stored on the same system that processes external inputs.
- Modular libraries, such as FFmpeg, can often exclude unneeded features or file formats when compiled. If a vulnerability is specific to the module for one file format, and that format is not included, then the resulting copy of FFmpeg becomes immune to that vulnerability.
This memo should not be taken as a security advisory for using FFmpeg, or an insistence against using FFmpeg. As with any software, there are security concerns, awareness, and particular configuration and hardening guidance that should be understood when adopting the technology. A good summary of FFmpeg and its risk of security issues is given on the About FFmpeg page of the FFmpeg project web site1.
SAN FRANCISCO — At a gala dinner last night in San Francisco, CDSA founder Larry Finley was posthumously inducted into the prestigious Consumer Electronics Hall of Fame. Finley was among an induction class of 12 industry leaders who were honored for helping found the CE industry as we now know it.
“This elite group of leaders has laid the foundation that our industry continues to build upon,” said CEA President and CEO Gary Shapiro. “Their vision, drive to excel and enthusiasm have helped to create the innovative CE products and services that have improved the lives of consumers worldwide. It is a pleasure to recognize this prestigious group.”
In the acceptance speech, Finley’s grandson and CDSA’s executive director Guy Finley explained: “Entertainment Matters. And it isn’t just the title of a conference I’m participating in at International CES in just a few months, it also explains that entertainment is and always has been a driving force behind all forms of new technologies. And it is a slogan that could very much define the
career of my grandfather and one of the CE industry’s founding fathers, Larry Finley, whose relationships with leading Hollywood figures connected hardware with software well before Steve Jobs saw the importance of this synergy.” In his introduction, CEA’s Shapiro accentuated last night the significance of Finley’s many contributions in the formative years of the industry as the basis for the entire packaged home video industry.
CDSA was originally founded by Finley as the International Tape Association (ITA) in 1970 at the dawn of the audio cassette. Finley, a concert promoter in San Diego and partner with the Dorsey Brothers, later became a pioneer in TV broadcast as a late-night TV host in Los Angeles. This was followed by his pioneering work as owner of the International Tape Cartridge Corporation (ITCC), which produced and distributed eight-track cassettes on behalf of per 50 record labels worldwide. Read more
Variety and CDSA Gather Experts to Address Innovations in Anti-Piracy and
Content Security, Dec. 6 in Los Angeles
LOS ANGELES — The Third Annual Content Protection Summit (CPS), produced by Variety and the Content Delivery & Security Association (CDSA), today announced that Senator Chris Dodd, Chairman and CEO of the Motion Picture Association of America (MPAA) will be featured in an exclusive Variety Conversation Keynote.
“With technology advancements and the development of an ever growing number of platforms for viewing motion pictures and TV shows, it is more important than ever to make sure important industries, government and consumers work together to ensure the Internet works for everyone,” Senator Dodd said. “Both the creative and technology communities are inextricably linked as we work to bring consumers the digital environment they want and both are essential to the economic well-being of our country.”
The event is one of the highlights of a day-long, deep dive into the latest innovations, findings and effective forms of deterrence in the protection of the creative products of leading movie, game, music and software companies. The event, themed “Innovation and Insights in Content Security,” is once again being held at the Los Angeles Hilton Hotel in Universal City on December 6.
”CPS is the official gathering of executives from across entertainment, focusing on the opportunities, and remarkable innovations in entertainment content protection,” said Alex Kochis, Conference Chair. “As the entertainment industry accelerates toward online services and digital products, we are experiencing a ‘perfect storm’ of threats to our business. Yet it is also a time of vast opportunity, disruptive business models, and remarkable innovation. This conference has always kept the industry’s leading practitioners on the cutting edge of the most effective best practices and engineered solutions and we are especially proud this year to have Senator Dodd join our industry discussion.” Read more