Audio streaming enables downloading?

Man, I have learned a lot today. I have gone through so much effort to try
and prevent people from downloading files. I have mp3 files that I want
people to listen to but I don't want them to save the file. So I went
through all the pain of implementing a script.

It is PHP, but I imagine other languages would be similar:

function serveaudio($file) {

$link = "audio/" . $file;

$handle = fopen($link, 'rb');
header('HTTP/1.1 200 OK');
header('Date: ' . date("D M j G:i:s T Y"));
header('Last-Modified: ' . date("D M j G:i:s T Y"));
header("Content-Type: audio/mp3");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Pragma: no-cache");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Content-Length: " . (string)(filesize($link)) );
header("Content-Transfer-Encoding: Binary");
header('Content-Disposition: filename=\"$name\"');
readfile($link);
}

I used htaccess to limit direct access to the files. But I noticed that as
the file plays in Media Player, you can just choose Save As! So is there
truly no way to prevent someone from saving an audio file? That doesn't seem
possible...

thanks,

brian

"Brian Huether" <bhuetherNO@comcastSPAM.net> wrote in
news:3PCdne0jKd0omO_YnZ2dnUVZ_v2dnZ2d@comcast.com:

> Man, I have learned a lot today. I have gone through so much effort to
> try and prevent people from downloading files. I have mp3 files that I
> want people to listen to but I don't want them to save the file. So I
> went through all the pain of implementing a script.
>
> It is PHP, but I imagine other languages would be similar:
>
> function serveaudio($file) {
>
> $link = "audio/" . $file;
>
> $handle = fopen($link, 'rb');
> header('HTTP/1.1 200 OK');
> header('Date: ' . date("D M j G:i:s T Y"));
> header('Last-Modified: ' . date("D M j G:i:s T Y"));
> header("Content-Type: audio/mp3");
> header("Cache-Control: no-store, no-cache, must-revalidate");
> header("Pragma: no-cache");
> header("Cache-Control: post-check=0, pre-check=0", false);
> header("Content-Length: " . (string)(filesize($link)) );
> header("Content-Transfer-Encoding: Binary");
> header('Content-Disposition: filename=\"$name\"');
> readfile($link);
> }
>
> I used htaccess to limit direct access to the files. But I noticed
> that as the file plays in Media Player, you can just choose Save As!
> So is there truly no way to prevent someone from saving an audio file?
> That doesn't seem possible...
>
> thanks,
>
> brian
>
>
>

No, there isn't. EVERYTHING you see on the internet is first put on your
computer. Either in memory or in cache or both. If you don't want the
saving it the broadcast it on the radio. Oh, wait. There's that darned
tape recorder thingy...

----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

ok then lets talk php,
as previously mentioned you can make it hard using rate limited
streaming, for instance I have thousands of quite large mp3s, they are
available via a script, but they are bandwidth limited, and the client
has a connection limit.
This way if someone decided they wanted all my mp3s yes they would have
to be registered. (you could license them using encryption via mwa if
you were REALLY tight) yes they have to download them at the listening
rate, yes they cant download 2 at once, yes session cookies are
enforced, so no bog standard get requests, along with this basic user
agent sniffing is used(but NOT enforced as a killer condition) and yes
their session is reset after 24 hours,
All in all, it would take them a year to save the files assuming they
can be bothered to automate this. Im not being tight and needlessly
aggressive here, Im just protecting my back against sudden downloads
which I cant afford or cope with network wise. I dont actually care if
someone wants them.

as you are using readfile, the download is as fast as just clicking on
the link. But you can implement really dirty streaming using a
playlist.php file (which is in addition to the streaming.php)

heres how it works.

user requests mp using http://blah.com/path/to/audio.mp3

link is rewritten \([^\]+)\.mp3$ to playlist.php?file=$1

playlist sends correct header for a playlist and echos correct url to
the streaming.php script
(theres nothing to stop a registered user looking at this we dont care
though)

playlist.php
header('Content-Type: application/x-mpeg');
echo 'http://domain.com/path/to/streaming.php';
exit;

so playlist.php is basically a text file, that tells the users media
player where to go next. Like a SMIL file does for rtsp

streaming.php
this just does as you did but enforces some restrictions on the speed.

#this just sleeps every now and then, this script was used to bounce
bbc bach christmas from my digital radio at home via apache to a few
friends
function readfile_chunked($filename,$retbytes=true,$sleep=0 )
{
$chunksize = 4*(1024); // how many bytes per chunk
$buffer = '';
$cnt =0;
// $handle = fopen($filename, 'rb');
$handle = fopen($filename, 'rb');
if ($handle === false)
{
return false;
}
while (!feof($handle))
{
$buffer = fread($handle, $chunksize);
echo $buffer;
flush();
if ($retbytes)
{
$cnt += strlen($buffer);
}
if ($sleep!=0)
{
sleep( $sleep);
}
}
$status = fclose($handle);
if ($retbytes && $status)
{
return $cnt; // return num. bytes delivered like readfile() does.
}
return $status;
}

#if you wanted to enforce only media user agents - you cant actually DO
this cos its easily faked.
if( (strpos($_SERVER['HTTP_USER_AGENT'],'Mozilla')!==false) ||
(strpos($_SERVER['HTTP_USER_AGENT'],'Opera')!==false) )
{
echo '<h1>note!</h1><h3>You should not access this from a browser as
it is an mp3 stream, please download mplayer for <a
href="http://www1.mplayerhq.hu/MPlayer/releases/win32/" >windows</a>,
or <a href="http://www1.mplayerhq.hu" >linux</a>, or <a
href="http://www1.mplayerhq.hu" >os x</a>, and return to this url in
the player.</h3>';
exit();
}
else
{
header("Content-Type: audio/x-mpeg");
#you would want to put the path and audio filename in here.
readfile_chunked('http://bach.mydomain.com/');
}

I mean I know this isnt good, but it worked well enough.

You can get very very clever, but as already stated, you cannot stop
people recording your stream, as many choose to do to the bbc streams.
If you send the data out, it can be captured. But you can make it
pointlessly long and drawn out to do so.

Other tricks people use is sending data via UDP through flash, thats
pretty hard to capture, and if youre up for learning more, that would
be my bet. The stream can be quite complicated and I think it would be
the hardest to crack.

Cookies can be handled using cURL, sessions too. (even wget supports
this i think)

You could wrap your mp3s as swf files, and split them up into say
random chunks splicing them together using flash - I think its possible
to splice them together although ive never tried it. (you might have to
cache the first part of them) This is the "protection" afforded to some
mp3s on some bible sites say. You just use swftools to unwrap them.

As for sending non caching headers, the way I would defeat that would
be to simply use a proxy, it would stick at the proxy and be available
later to download. Its easy to write proxies in C#.

Have you thought of using a separate server to host the mp3s which you
can control, you could stream using darwin or vlc. anyway. ive waffled
on too much.

"shimmyshack" <matt.farey@gmail.com> wrote in news:1165108866.335656.251440
@80g2000cwy.googlegroups.com:

> Have you thought of using a separate server to host the mp3s which you
> can control, you could stream using darwin or vlc. anyway. ive waffled
> on too much.
>

I was thinking, if he is protecting intellectual material it may be worth
it to him to provide a custom ActiveX component to retrieve and play the
file. That way he would have complete control over everything. No http, no
cache's, no possibility to save it other than a separate recording program.

What would prevent someone from starting up Windows Sound Recorder and
recording it. Or even a separate cassette recorder? Nothing, really.


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Brian Huether wrote:
I noticed that as
> the file plays in Media Player, you can just choose Save As! So is there
> truly no way to prevent someone from saving an audio file? That doesn't seem
> possible...
>

Brian, what is your ultimate goal, 1) saving bandwidth or 2) protecting
intellectual rights?

My 2 € cents:

1) consider offering a bittorrent file;
2) consider offering public domain or free-as-in-speech documents (e.g.
creative commons or similar)

Ottavio

Wow those are some pretty advanced ideas! I am not sure I have the time to
get into that level of detail though. Maybe I'll do as you say and just
allow people to listen to lower fi versions.

regards,

brian



"shimmyshack" <matt.farey@gmail.com> wrote in message
news:1165108866.335656.251440@80g2000cwy.googlegro ups.com...
> ok then lets talk php,
> as previously mentioned you can make it hard using rate limited
> streaming, for instance I have thousands of quite large mp3s, they are
> available via a script, but they are bandwidth limited, and the client
> has a connection limit.
> This way if someone decided they wanted all my mp3s yes they would have
> to be registered. (you could license them using encryption via mwa if
> you were REALLY tight) yes they have to download them at the listening
> rate, yes they cant download 2 at once, yes session cookies are
> enforced, so no bog standard get requests, along with this basic user
> agent sniffing is used(but NOT enforced as a killer condition) and yes
> their session is reset after 24 hours,
> All in all, it would take them a year to save the files assuming they
> can be bothered to automate this. Im not being tight and needlessly
> aggressive here, Im just protecting my back against sudden downloads
> which I cant afford or cope with network wise. I dont actually care if
> someone wants them.
>
> as you are using readfile, the download is as fast as just clicking on
> the link. But you can implement really dirty streaming using a
> playlist.php file (which is in addition to the streaming.php)
>
> heres how it works.
>
> user requests mp using http://blah.com/path/to/audio.mp3
>
> link is rewritten \([^\]+)\.mp3$ to playlist.php?file=$1
>
> playlist sends correct header for a playlist and echos correct url to
> the streaming.php script
> (theres nothing to stop a registered user looking at this we dont care
> though)
>
> playlist.php
> header('Content-Type: application/x-mpeg');
> echo 'http://domain.com/path/to/streaming.php';
> exit;
>
> so playlist.php is basically a text file, that tells the users media
> player where to go next. Like a SMIL file does for rtsp
>
> streaming.php
> this just does as you did but enforces some restrictions on the speed.
>
> #this just sleeps every now and then, this script was used to bounce
> bbc bach christmas from my digital radio at home via apache to a few
> friends
> function readfile_chunked($filename,$retbytes=true,$sleep=0 )
> {
> $chunksize = 4*(1024); // how many bytes per chunk
> $buffer = '';
> $cnt =0;
> // $handle = fopen($filename, 'rb');
> $handle = fopen($filename, 'rb');
> if ($handle === false)
> {
> return false;
> }
> while (!feof($handle))
> {
> $buffer = fread($handle, $chunksize);
> echo $buffer;
> flush();
> if ($retbytes)
> {
> $cnt += strlen($buffer);
> }
> if ($sleep!=0)
> {
> sleep( $sleep);
> }
> }
> $status = fclose($handle);
> if ($retbytes && $status)
> {
> return $cnt; // return num. bytes delivered like readfile() does.
> }
> return $status;
> }
>
> #if you wanted to enforce only media user agents - you cant actually DO
> this cos its easily faked.
> if( (strpos($_SERVER['HTTP_USER_AGENT'],'Mozilla')!==false) ||
> (strpos($_SERVER['HTTP_USER_AGENT'],'Opera')!==false) )
> {
> echo '<h1>note!</h1><h3>You should not access this from a browser as
> it is an mp3 stream, please download mplayer for <a
> href="http://www1.mplayerhq.hu/MPlayer/releases/win32/" >windows</a>,
> or <a href="http://www1.mplayerhq.hu" >linux</a>, or <a
> href="http://www1.mplayerhq.hu" >os x</a>, and return to this url in
> the player.</h3>';
> exit();
> }
> else
> {
> header("Content-Type: audio/x-mpeg");
> #you would want to put the path and audio filename in here.
> readfile_chunked('http://bach.mydomain.com/');
> }
>
> I mean I know this isnt good, but it worked well enough.
>
> You can get very very clever, but as already stated, you cannot stop
> people recording your stream, as many choose to do to the bbc streams.
> If you send the data out, it can be captured. But you can make it
> pointlessly long and drawn out to do so.
>
> Other tricks people use is sending data via UDP through flash, thats
> pretty hard to capture, and if youre up for learning more, that would
> be my bet. The stream can be quite complicated and I think it would be
> the hardest to crack.
>
> Cookies can be handled using cURL, sessions too. (even wget supports
> this i think)
>
> You could wrap your mp3s as swf files, and split them up into say
> random chunks splicing them together using flash - I think its possible
> to splice them together although ive never tried it. (you might have to
> cache the first part of them) This is the "protection" afforded to some
> mp3s on some bible sites say. You just use swftools to unwrap them.
>
> As for sending non caching headers, the way I would defeat that would
> be to simply use a proxy, it would stick at the proxy and be available
> later to download. Its easy to write proxies in C#.
>
> Have you thought of using a separate server to host the mp3s which you
> can control, you could stream using darwin or vlc. anyway. ive waffled
> on too much.
>

"Mark" <mtaylor*@*lrim.com> wrote in message
news:1165114132_29785@sp6iad.superfeed.net...
> "shimmyshack" <matt.farey@gmail.com> wrote in
> news:1165108866.335656.251440
> @80g2000cwy.googlegroups.com:
>
>> Have you thought of using a separate server to host the mp3s which you
>> can control, you could stream using darwin or vlc. anyway. ive waffled
>> on too much.
>>
>
> I was thinking, if he is protecting intellectual material it may be worth
> it to him to provide a custom ActiveX component to retrieve and play the
> file. That way he would have complete control over everything. No http, no
> cache's, no possibility to save it other than a separate recording
> program.
>
> What would prevent someone from starting up Windows Sound Recorder and
> recording it. Or even a separate cassette recorder? Nothing, really.
>
>
> ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet
> News==----
> http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+
> Newsgroups
> ----= East and West-Coast Server Farms - Total Privacy via Encryption
> =----

I doubt people would be willing to accept the Active X control though...

brian

"Ottavio Caruso" <pr0f3ss0r1492@yahoo.com> wrote in message
news:1165150037.721786.258580@f1g2000cwa.googlegro ups.com...
Brian Huether wrote:
I noticed that as
> the file plays in Media Player, you can just choose Save As! So is there
> truly no way to prevent someone from saving an audio file? That doesn't
> seem
> possible...
>

Brian, what is your ultimate goal, 1) saving bandwidth or 2) protecting
intellectual rights?

My 2 ? cents:

1) consider offering a bittorrent file;
2) consider offering public domain or free-as-in-speech documents (e.g.
creative commons or similar)

Ottavio

My goal is protecting the songs that I have written and recorded. I want
people to be able to listen to them but not save the file. I know people can
save the audio as they are listening with soundcards that route outputs to
inputs but the avg user wouldn't do that.

later,

brian

"Brian Huether" <bhuetherNO@comcastSPAM.net> wrote in
news:B_adnaUYq99rc-_YnZ2dnUVZ_rGdnZ2d@comcast.com:

>
> "Mark" <mtaylor*@*lrim.com> wrote in message
> news:1165114132_29785@sp6iad.superfeed.net...
>> "shimmyshack" <matt.farey@gmail.com> wrote in
>> news:1165108866.335656.251440
>> @80g2000cwy.googlegroups.com:
>>
>>> Have you thought of using a separate server to host the mp3s which
>>> you can control, you could stream using darwin or vlc. anyway. ive
>>> waffled on too much.
>>>
>>
>> I was thinking, if he is protecting intellectual material it may be
>> worth it to him to provide a custom ActiveX component to retrieve and
>> play the file. That way he would have complete control over
>> everything. No http, no cache's, no possibility to save it other than
>> a separate recording program.
>>
>> What would prevent someone from starting up Windows Sound Recorder
>> and recording it. Or even a separate cassette recorder? Nothing,
>> really.
>>
>>
>> ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure
>> Usenet News==----
>> http://www.newsfeeds.com The #1 Newsgroup Service in the World!
>> 120,000+ Newsgroups
>> ----= East and West-Coast Server Farms - Total Privacy via Encryption
>> =----
>
> I doubt people would be willing to accept the Active X control
> though...
>
> brian
>
>
>

It is intended for your STUDENTS right? I think you are a trusted source.
It's not like just anyone is accessing the files. After all, that is what
you are trying to PREVENT, yes?

----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----