CodeWalrus

Situation: my dad wants to host a paid service, where people can pay for his own music to listen online. However, they should not have the possibility to download them, because the service is paid. I tried several tricks to hide them, or making it really hard to find. I tried htaccess, but if I then block the MP3, <audio> doesn't work anymore, so that doesn't help. Another idea was to copy the MP3 to a temp folder, load it in the <audio> tag, and then immediately remove the folder, but I can't get that working yet + an experienced person can easily remove the JS code to remove the folder. Also, in HTML5, there is an option to download the MP3 IMMEDIATELY. I can remove that with CSS, but again, an experienced user can display it again, and download it.

@c4ooo said I can maybe stream it, so downloading them second by second, which might work, so I might give that a try.

Any more ideas? :)

Maybe base64 the mp3 file, decode it and then use the Web Audio API to play it ?

if he gets the first beta running, I'd love to volunteer as a tester, trying to download the songs ^^
(got a lot of experience on the *regular* methods not involving special toos)

You can use websockets to stream the music, use almost unreadable, minfied code so it will be quite hard to assemble it back together, you might even use encryption as an additional step, but keep in mind, someone will always be able to figure it out, because once you listen to it online, your browser is technically downloading it so you can listen to it.

Anyway, I'd recommend your dad not to reinvent the wheel and use things like Bandcamp, iTunes or Google Play as they do a good job for his use case.

Also, you cannot stop me if I play it and record it (using a different device) while it is playing.

If you know someone is doing that to your music, you are a stalker with no life.

I told @P_T on irc that you could use this example as a base :
https://alexgibson.github.io/offlinewebaudio/ (https://alexgibson.github.io/offlinewebaudio/)

It's basically what i said : Encode the audio as base64 data, decode it and play it back with the Web Audio API.
He told me he was happy about it, even though most people would prefer to use streaming over that of course.
(since they can protect it and encrypt it more easily)

Quote from: _iPhoenix_ on April 15, 2017, 09:43:09 PM
Also, you cannot stop me if I play it and record it (using a different device) while it is playing.

Also known as the (anal)ogue asshole.
That's why Hollywood resorts to DMCA letters these days :D

Well, yeah. For most of the music industry, the solution isn't always writing better code and safeguards, but sometimes it's more efficient applying copyright law, more specifically, the DMCA. Very liberally. And the biggest ones have good lawyers to back them up.

I'd use bandcamp. Simple, easy and contained solution.

Bandcamp can do the job and is customizeable (layout, subscription options, stream options, etc) but it depends if he wants something customizeable. Bandcamp has an API, though, for webmasters.

Shush guys, his father will give him monez for the work.  :D
Of course most people will stick with Soundcloud or Bandcamp but if @PT_ can get some monez from his father,
you shouldn't say no guys.

if he publishs his stuff on apple music, the files can be downloaded and shared, but they got markings that tell who is the guy gaving bought it from apple (who shared it) which is pretty hard to remove since regular tools wont help u much at this point.
So this already prevents big parts of the picary as noone wants to share a pirated file with his name on it ^^

Yeah, but apple music is extremely locked in, I wouldn't use it at all.

Plus anyone can just convert the file to a different format using any software or recording device anyway. But yeah the main topic here is to make it as hard as possible to download MP3 files while still allowing to stream them.

Can someone try to get the mp3 from this website WITHOUT recording it? http://www.oefenfiles.nl/ :D (I made something which should prevent downloading it, hopefully ;) )

I will try on mobile and desktop later. I will also try to run DownThemAll on it to see if I can bypass protections or something.

loading the audio isnt shown in network analysis and the difect mp3 link is a 404, impressive.
Should block like 80-90% of the attempts to rip that song.

I think I hate you now <_<

QuoteGET /yMmdahsVJBDfQMy/a.mp3 HTTP/1.1
Host: www.oefenfiles.nl
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: audio/webm,audio/ogg,audio/wav,audio/*;q=0.9,application/ogg;q=0.7,video/*;q=0.6,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Range: bytes=0-
Referer: http://www.oefenfiles.nl/
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

Challenge accepted.
Can I try? O.o

EDIT: It took me a grand 5-20 min.

Not that it's your fault, I just looked up a script to do it for me :P

It took me 2 minutes. Disable Javascript (which contain a simple script to delete the mp3 once used) and get the page before it gets to redirect to the nojs page.

That or just use wget or curl to download the page and scrape the mp3 url from source.

Quote from: PT_ on May 01, 2017, 11:22:38 AM
Can someone try to get the mp3 from this website WITHOUT recording it? http://www.oefenfiles.nl/ :D (I made something which should prevent downloading it, hopefully ;) )

But have you even followed the link i gave you earlier ?
Because what you did right now is no different than just using the audio tag.

When i loaded your page with Noscript, right off the bat, i could download the MP3.
And i could look at the source to also get the link...

You did all of that for absolutely nothing.

Unless of course you set up a honeypot or something...
The music is "Allegro from Duet in C Major" right ?

Yeah, that was pretty trivial. I just checked the page HTML source and found the MP3 link immediately. (It's violin music.)

You're trying to solve the same problem that the music industry has been trying to solve for ages via DRM (and mostly failing ;)). I think the big commercial movie and streaming sites use some sort of DRM-based encryption that requires special browser plugins and the like. I haven't researched those, so I have no idea how they work or how effective they are.

The best you can really do is make it so that it takes enough effort to get a raw download that most people won't go to the trouble, while realizing that if someone really wants it badly enough, they'll eventually find a way anyway. If you're serious about it, you should consider applying for registered copyright on the works so that you can legally prove copyright infringement if someone does pirate them.

Here are a couple of uBlock filters to take out your protection:

! Simple direct page block
|www.oefenfiles.nl/delete.php|
! Block the whole script, because it only handles the delayed deletion
||www.oefenfiles.nl/*/script.js
! Hypotheticals:
! Let's say you moved to generating the removal script inline.
www.oefenfiles.nl##script:contains(remove)
! What if you generate the function name randomly too?
! I can take advantage of the fact that all your directory names are 15 characters long, and generate to have the proper name hard-coded.
www.oefenfiles.nl##script:contains([a-zA-Z]{15})
! If you move to grabbing from the DOM, I can check for getElementById calls. You're not gonna win.

On the side, http://www.oefenfiles.nl/nojs.php (http://www.oefenfiles.nl/nojs.php) is a quick way to get me to stop using your website.

Just use Bandcamp. I know I'm personally more likely to stream and buy music from there than from some crappy site that hates me and doesn't let me preview music in the way I prefer. (If you haven't used Bandcamp's mobile app for streaming & discovery, it's pretty nice.) You'd need much heavier DRM.
People turn to piracy when purchasing isn't easy, or they're broke/complete smegheads. The people you will get money from appreciate services that let them quickly evaluate and buy what they want to buy. iTunes helped kill piracy not through their DRM, but through providing a regular & simple way to purchase digital music.

The only solution is to not use javascript at all nor anything that can be disabled on the client side. Or to use an established service, eg Bandcamp, even though that isn't 100% piracy-proof either

EDIT On a side note, is the play button supposed to be grayed out on your website?

U could send the audio in tiiiiny packages which the client side software will then put together.
But everyone will hate you for it!

Do you mean requiring a phone or desktop app to download audio from a website? I am subscribed to a music concert news website called Bandapp that requires an Android app in order to read my messages and I hate that. X.x

You could perhaps encrypt the data to another format (i.e. a string), then read off tiny chunks to play it.

Quote from: _iPhoenix_ on April 15, 2017, 09:43:09 PM
Also, you cannot stop me if I play it and record it (using a different device) while it is playing.

If you know someone is doing that to your music, you are a stalker with no life.

Or you can record it on the same PC by fiddling with  your soundcard settings and using a Wave Editor like Audacity or Soundforge.  8)

Quote from: _iPhoenix_ on May 10, 2017, 07:33:39 PM
You could perhaps encrypt the data to another format (i.e. a string), then read off tiny chunks to play it.

NEVER put too much processing, like decrypting only for such purposes, on the client side (actually nor the server side), it's like the worst style of web dev ever x.x
You only do lots of client side processing if it's really necessary and inevitable.

many sites (for exsample german news sites) split their videos in 5sec fragments and lead them all and make the player turn them into one again. so while watching u dont notice, but if u want to download it... x.x
u can easily download the movie, but it's gonna be a few hundred separate tiny files which u would have to put together using a video cut software, the amount of work is really insame! (actually did thart once, but only once!)

using that method the amount of processing required is much smaller while the effect on pirates is huge, noone wants to download it there xD

Quote from: p2 on May 10, 2017, 10:41:55 PM
many sites (for exsample german news sites) split their videos in 5sec fragments and lead them all and make the player turn them into one again. so while watching u dont notice, but if u want to download it... x.x
u can easily download the movie, but it's gonna be a few hundred separate tiny files which u would have to put together using a video cut software, the amount of work is really insame! (actually did thart once, but only once!)

That would be quite possible to automate via a script and the right tools, but it's true that most people likely wouldn't bother. Just remember that it still wouldn't necessarily stop someone who really wanted to pirate it.

Overdoing it is always an option.
Unless it's a calculator. Then you cannot afford to.
I should add this to my conceited quotes thread

Perhaps take the encrypted string and cut it up into 1 bit fragments and store them in random places on the site, but making them inaccessible to mortals.
In fact, why even stick to the same domain! Store it on every site you can!

kk I'm done now.
dammit I was ninja'd by Travis. By < 10 seconds, too

Quote from: p2 on May 10, 2017, 10:41:55 PM

Quote from: _iPhoenix_ on May 10, 2017, 07:33:39 PM
You could perhaps encrypt the data to another format (i.e. a string), then read off tiny chunks to play it.

NEVER put too much processing, like decrypting only for such purposes, on the client side (actually nor the server side), it's like the worst style of web dev ever x.x
You only do lots of client side processing if it's really necessary and inevitable.

many sites (for exsample german news sites) split their videos in 5sec fragments and lead them all and make the player turn them into one again. so while watching u dont notice, but if u want to download it... x.x
u can easily download the movie, but it's gonna be a few hundred separate tiny files which u would have to put together using a video cut software, the amount of work is really insame! (actually did thart once, but only once!)

using that method the amount of processing required is much smaller while the effect on pirates is huge, noone wants to download it there xD

It needs to be cross-platform compatible, though. It would suck if just for the sake of being secure and piracy-proof, the MP3 could only be streamed from 1 single browser.

Hm yeah, use the web crypto APIs, do an AJAX request to something encrypted and decrypt it on the fly.