Until now, most people thought Microsoft streaming media cannot be saved or copied...

ASF Recorder creates the possibility to DOWNLOAD LEGACY AND COPYRIGHTED CONTENT - live or pre-recorded - from any Microsoft streaming media server that offers HTTP streaming. This has the potential to make some headlines in the news (which it actually did in some publications).

Now content providers will have to seriously reconsider their policy to provide high-quality, legacy content using non-encrypted, non-authenticated and generally insecure data channels.

I am talking about content providers offering music videos, recordings of concerts and TV broadcasts in "high bandwidth" (300kbit/s and 700kbit/s) video. Same applies to streaming audio. There is virtually no difference to offering opyrighted MP3 files for public download on a freely accessible server.

HELLO CONTENT PROVIDERS! YOUR CONTENT CAN BE AS EASILY COPIED AS IT CAN NOW BEEN DOWNLOADED FROM YOUR SERVERS! WOULD YOU MIND COPY-PROTECTING THIS CONTENT, PLEASE?

HELLO MUSIC INDUSTRY AND ARTISTS! THE CONTENT PROVIDERS ARE CURRENTLY GIVING AWAY YOUR INTELLECTUAL PROPERTY IN AN INSECURE, NON COPY-PROTECTED DATA FORMAT. JUST LIKE MP3! THESE ASF FILES CAN BE DOWNLOADED AND COPIED WITHOUT ANY PHYSICAL RESTRICTION.

WHAT CAN CONTENT PROVIDERS DO ABOUT IT ?

- Disable HTTP and TCP streaming?
Wouldn't really help. UDP streaming could also be recorded by a program similar to this.

- Switch from Microsoft to RealMedia products?
Not much difference. I am pretty sure the RealMedia servers have exactly the same vulnerabilities in their streaming protocols.

- Finally start using digital rights management and authentification methods offered by Windows Media?
I hope so. This would make an attack like this very difficult. Windows Media is not generally insecure. It does in fact offer digital rights management and encryption methods. Get yourself informed.

WHAT CAN THE MUSIC INDUSTRY DO ABOUT IT ?

- Pull back from the internet business?
Bad idea. Would give MP3 pirating a serious boost.

- Force content providers to use secure methods for providing their streams?
I hope so.

WHAT CAN MICROSOFT DO ABOUT IT ?

- Try to find out who wrote this program and sue him?
Bad idea - from the author's point of view.

- Inform content providers and the music industry about how to correctly encode media streams and configure servers so that the content cannot be downloaded and copied _that_ easily?
Yeah, good idea.

- Implement an effective authentification mechanism to make sure only Media Player and no other program can access the data streams?
Why didn't they do it already? It would have made this attack impossible. Does it always require a "LOVELETTER.vbs" or a tool like this to prove that some Microsoft products are unsafe/insecure (when incorrectly used)?

Source: ASF Recorder ReadMe