Hulu Munging HTML With JS To Protect Content

N!NJA writes "Hulu has started encoding the html that they send to people's browsers, and then decoding it using javascript before rendering it. [...] They then run the character stream through a series of javascript functions to convert it back into plain text before pushing it into your browser using DHTML. That's quite a lot of effort just for fun, so I assume that is to stop screen scrapers from parsing content." I really can't understand all this effort. Boxee displayed the Hulu advertising perfectly. I suspect Alec Baldwin is to blame.

Re:Phase One is Over

[Fahrvergnuugen]

And now, I supposed, there will be a DMCA attack as phase two.

That's really interesting. According to Wikipedia: "The DMCA criminalizes the circumvention of access control".

Can obfuscated HTML & JavaScript really be considered access control?? I sure hope not.

If it is, then what's the difference between obfuscated code and horribly written code thats difficult to understand? Or code thats been run through a minifier to make it smaller?

I can't understand...Boxee displayed ads perfectly

[Papabryd]

...On a TV. Where ad rights, restrictions, and most importantly prices are much different than they are on the web. Hulu's (well really Fox/NBC's) bean counters won't let that fly especially when they can get roughly 7 minutes of ad space on a broadcasted show versus 2 minutes on Hulu. I'd be willing to bet that the prices for those 2 minutes on Hulu are a lot cheaper than 2 minutes on TV for an equivalent show.

And to anyone complaining about having to dance through proxies to watch Hulu internationally, it's for the same reasons. What benefit does Charmin see from advertising toilet paper to people in the Netherlands?

All that aside, as someone who has a modded XBOX with XBMC and was living abroad,I can say with experience that all these shenanigans are tiring. Like any arms race where it's content producers vs. the internet, the internet will win in the end.

Content Providers' Demands?

[T Murphy]

Maybe they are just doing this to sate the content providers. As long as they appear to be trying to solve the problem, they should get brownie points with the major companies. Considering how popular DRM seems to be with the execs, I'll bet they think this works just as "well".

It's all about the DMCA

[Anonymous Coward]

If you do decrypt it without authorization, they can claim you're in violation. It's not about the technical merits of their solution, it's about the legal aspect.

idiotic approach and easy to defeat

[Anonymous Coward]

Any developer worth his salt knows of the Firefox extension "Web developer" which comes with a "View generated source" button. So no matter how hard you try to hide your HTML, the browser still needs to see true HTML to render your page, which View generated source can do quite easily.

And for all the non-developer out there, if you use Firefox, you can make a selection of text (or better, CTRL-A), right click and choose view-source. It's the generated source you will see on selected text, not the original code provided by the server.

A

Is it for screen scrapers?

[TheRaven64]

Won't this also prevent things like Phorm from modifying the ads? A screen scraper can just embed something like Gecko or WebKit and generate the DOM tree with the scripts, but something that needs to sit on a connection and do realtime packet modification like Phorm can't do that.

Since Hulu doesn't work outside the USA, I've never used it so I don't know if which is more likely, but if I had an ad-supported web site I wouldn't want carriers modifying my data in-flight, and this approach is a lot less computationally-expensive on the server side than using SSL without dedicated hardware.

Re:Cat & Mouse.

[kirbysuperstar]

Do you really believe that all of this content is going to get less available over time?

What about if your internet goes out and there's jack-crap on TV? Oh look, a HDD full of episodes/movies/whatever. Or.. well this one doesn't apply in this case, as Hulu is US only, but for people with low bandwidth/download quotas, streaming is a total waste. Hell, if I was to stream something, I'd nab a copy of it, just so I didn't feel I was wasting my quota.

Re:Dumb question here

[swilver]

No, you just run their javascript, the way it was intended to be. There's no reverse engineering involved. If they were smart (Hulu), they'd send different decoding function each time making it not possible to just recreate their function... if doing any of this can be considered smart.

EUCD is the EU variant of DMCA since 2001

[emj]

EUCD [wikipedia.org] is the EU version, if DVD Jon would have been trialed in the EU it would have been interesting. Because I find it very hard to believe that anyone will ever get convicted for circumventing protection mechanisms, if it wasn't with malicious intent, or for monetary gain.

Compression, not encryption?

[Anonymous Coward]

A couple years ago I was on a project building a web site that used asynch calls to web services to get JSON strings and then render DHTML from the resulting objects. The requirement came down that we needed to "encrypt" the data being returned by the seb services. They understood that it would only be obfuscation because the code to "decrypt" the strings would be right there in the JS for anybody to see, but it's what they wanted.

Instead of trying to encrypt it, I chose to compress it. The resulting string was obfuscated so the client was able to check that off the list but more important was that the strings being returned were much smaller and performance was noticably increased even though the string had to be decompressed in JS before it could be used.

Re:Dumb question here

[illumin8]

But you're not reverse engineering. They're sending you their code, you're just running it!

Actually I wonder if the DMCA would apply here. I think in fact it might. A non-techie judge might decide that running their javascript code on any device that they don't intend you to run it on is a violation of the reverse engineering clause.

Clearly, the content owners (Hulu) intend for you to only watch their content on a web browser running on Windows, Mac, or Linux. By running their javascript on a 3rd party device like a Boxee box (not a web browser), the judge might interpret this as reverse engineering to defeat a copy protection mechanism.

I think the grandparent is very astute. This is probably setting up a legal argument that could be used in court to sue the makers of Boxee.

Re:Don't they want people to use Hulu?

[Anonymous Coward]

CPM is higher on Hulu than it is on the TV because users are "more engaged" on the PC than they are on the TV. The two potential problems with pushing Hulu to the TV screen are:
1) Advertisers are paying a premium for engagment that they aren't getting.
2) It will eat into they biggest customers' (cable,satellite, etc) revenue who, I am reliably told, are putting a lot of pressure on Hulu to pull the plug on boxee.

Re:Cat & Mouse.

[Maxo-Texas]

True story...

Three separate estimates for a project have determined that making a change will take about 1400 to 2800 hours. These were swag by a analyst with 8 years experience with the application, a formal 40 hour estimate by a different analyst with 9 years experience with the application, and an outside estimate by a contracting house (who wink/wink made it clear the 1400 hour estimate was really them lowering their billing rate to get some work- they would be working 20 hours a week unpaid to make the 1400 hour estimate).

The CIO came in and said "I don't see how this can be so hard", drew some boxes on a whiteboard as the "high level design" and said, "this should take 400 hours". (This was after the three estimates kept disagreeing with her wishes)

And *every* VP and senior director in the room, nodded in agreement and didn't say a god damned thing.

One of the ways planned to meet this goal is to assume testing will find no defects and take one week less than normal. That's just one -- there were more.

In the current environment- IT people are seeing some really bizarre behavior by the business types (I have friends at three other companies that report similar experiences).

Re:Cat & Mouse.

[hondo77]

Me: I estimate this will take four months.

Director of IT (former sysadmin): This should only take four weeks.

Want to guess who got blamed when the project took four months?

Re:Cat & Mouse.

[Yold]

I don't think the CIO's lack of understanding is caused by her being a "business type". Fact is, unless you've been knee-deep in the code for the system in question, you probably have a very skewed understanding of the time requirements.

Case in point, a client of mine was a PhD/MD. Definitely a nerd, not a business type. He has programming skills, yet he expects me to be able to accomplish 20+ hours of coding in an hour. He simply doesn't understand the amount of thinking, experimentation, design, coding and testing involved for modern web-apps.

More relevant case in point, my boss has a PhD in computer science. About 10 years ago, he was a programmer just like me, but now he runs big-numbers for the business types. He has been nagging me about current project to be done, because back when he was a web developer, everything was server-side CGI. No CSS prettiness to worry about, limited cross-browser issues, and there was no cluster-fuck codebase to wrestle with. If he gave 2-shits about being a better manager, he'd ask "what sort of problems are you having/expecting", rather than "is it done yet?", and then telling me to hurry up to create bug-free code (pfffft what an oxymoron).

Fact is, every manager I have ever had in a technical position has been woefully out-of-touch with the nitty-gritty of their subordinate's work. Whether or not that person had substantial computer/technical background is irrelevant, because they don't understand the specifics of the system/project in question.

Re:what do you expect?

[Firehed]

The ads are (more or less) built directly into the video stream. The issue is that the content producers take issue with people using media center appliances to put their internet content on a TV screen, despite being identical content to what's shown on TV (except that rather than skipping ALL the commercials with a TiVo, people sit through or ignore the single ad in Hulu streams).

Yes, they SHOULD do it that way. Lord knows that I'll never pay for a cable TV subscription (unless by the laws of retarded cable company economics, it lowers my internet bill), and to me it's all the same content regardless of the display medium. As it is, I'll usually just listen to the stream in the background while pretending to work, since Stewart and Colbert don't exactly rely too heavily on visuals.

But that's beside the point - so long as the content producers (NBC, FOX, etc) continue to have last-century business models, Hulu really has to cooperate with them. It's certainly in their best interest from an ad sales perspective to get the content in front of as many people as possible, regardless of the display device - CPM ads only care about the number of eyeballs. I'll happily go back to torrents if they make it hard to watch shows through Hulu, where they'll get exactly $0.00 per viewing.

Re:what do you expect?

[ZorinLynx]

Maybe content producers should start realizing that they're playing too many ads.

One of the things I like about the show Fringe is that FOX plays it with between one and three 30 second ads per break. This is actually tolerable. Other shows end up having 5-6 ads per break; by the end of the break you're going "WTF where's my show?"

Watching live TV (with ads included) would be a lot more tolerable with 1-2 ads per break. I think more people would watch to make up the difference.