Feb 17 2007

How to harden Flash Media Player

Category: Insanity,Life Storieserm @ 8:43 am

Here is information on how to harden Flash Media Player

Every week since I started reading the forum’s on Jeroen Wijering’s site I see a post like this …

How do you keep people from downloading your music.

You can’t you just can’t.
There are ways however to make it harder.

  1. Don’t list mp3 files in mp3 folder.
    • Add “Options -Indexes” line to .htaccess
    • If you can’t do that, add a file called index.html or index.htm to your mp3 folder.
      • Have the index.html file say something like forbidden, your ip has been logged, granted everyone’s ip is always logged. When you tell them, it kinda scares them.
  2. Use a streamscript. This keeps programs like download helper from detecting your mp3s.
  3. Have ajax run your ufo/embed command.

    • xajax is a great ajax library.
    • The reason I suggest this is, that if you can’t just view the page source, and get the name of your file= then it’s that much harder to determine what the playlist.xml file is.
  4. Edit the .as files, change playlist.xml to something else.
    • This option is costly $600 to change 2 lines every time you upgrade your flash mp3 player … you do the math.

Things NOT to do.

  1. Password protect your mp3 folder with http_auth.
    • If you have apache ask for a password for anyone accessing your mp3 folder, then your flash media player will not work. Sure it’ll work for you because you’ve already entered the username/password, but your listeners will not be able to listen to the music.

It is good practice to keep your permissions on files/folders at the bare minimum of what they need to be. It does not “harden” the ablility to download/stream mp3s.

It all depends on your setup, I think 644 (user read-write, group read, others read) or 664 (user read-write, group read-write, others read) is a good place to start for mp3s, and 755 (user read-write-execute, groups read-execute, others read-execute) is a good place to start for folders. You need the execute bit set to get directory listings for folders.

MP3 file permissions should NEVER have a 7,5 or 1 in any of their permissions. You don’t need to “execute” mp3 files just read/write to/with them. So 6 (read-write) or 4 (read) work great.

Why it’s so hard to keep your music from being downloaded.

First off you have the “tell all’ playlist.xml, and file= in your flash vars. It’s really easy to view the page source, and get that iformation. If they are familliar with this package, then they know all that they need to do is point their browser to playlist.xml and open up the file list, copy the urls 1 by 1, and download them. So editing the .as files, and replacing the default playlist.xml is how you could fix this problem. Do you want to pay $600 just to change 2 lines in ImageRotator.as and MediaPlayer.as? So changing the default value is probably the easiest.

Changing the default values is completely useless if you don’t use the streamscript. There are programs out there that can detect anything. Firebug can get tons of information about a web page. All the javascript variables defined … ajax requests … the list goes on.

Not to mention your cache.

Adding ajax into the equation is just 1 more hurdle, but is rendered completely useless with firebug since it can grab all the information about a page.

Time to pull out the soap box

You’re an idiot

If you really don’t want your music avaliable, then it’s your best bet to just take down your site, dig a hole, and put your music in it. Forget about being a recording artist, because you’re too stupid to realize that we have something avaliable to us that has never been avaliable before in history.

A way to share our music without having to go through the media/managers/publiciists.

I have had my music downloaded over 50,000 times! How many bars have I gone to accomplish this *none*. How many managers do I deal with *none*? How many gigs *none*?

I make all my music avaliable for download free of charge. I’ve spent more money on this than I will ever make. Do I care no.

In the end people are getting my music. This *should be* as easy as pressing record on a tape recorder, and getting it off the radio.

Do you realize there is an internet archiver out there, that spiders all the sites, and keeps it for future generations, can you imagine what it would be like to be dead for 100 years, and then someone discovers you. Your music redefines how people think, how they live, how they love?

In the end *this* would be worth more to me than millions. This would leave a mark.

Someone once told me “You can write the best song in the world, and if you don’t share it, it’s worthless.”

This is your music. When it comes right down to it you should be able to do what you want. I just don’t see the point in keeping music hidden, or unavaliable. Or even worse … offering a lower quality version on my site. What if in 100 years the only song that survivied you was low quality?

Well enough of that have fun spinning your wheels.

Leave a Reply

You must be logged in to post a comment. Login now.