United Airlines Requires You To Install Special Brand Of DRM To Watch Movies On Flights
from the yeah,-that's-not-happening dept
On Twitter yesterday, Brian Fitzpatrick, a tech entrepreneur, noted that while trying to enjoy the in-flight entertainment on the United Airlines flight he was taking, the in-flight Wi-Fi system told him he need to install its special brand of DRM. They didn’t even try to sugarcoat it with some fancy confusing name. It’s literally called the DRM plugin:
Today in NOPE News: it's not "Okay" for @United to install DRM on my laptop. pic.twitter.com/kzUL2RqNDO
— Brian Fitzpatrick (@therealfitz) July 21, 2015
Click ‘Okay’ to download the latest DRM Plugin.
After installation playback should resume immediately,
if it doesn’t then you may need to restart your browser.
Fitzpatrick kindly sent me a bunch more screenshots and details. That little error message pops up — along with other error messages — when you go to watch a movie:
Fitzpatrick also realized that if you don’t have Flash (which is actually a good security practice) United will helpfully offer to install it for you as well:
At this point, United will provide lots of detailed instructions on how to install the DRM-you-never-wanted on your machine:
So, not only is United trying to install unnecessary and annoying DRM on your computer, it’s also doing so in a way that it is recognized as being a security nightmare. That’s encouraging.
In the interest of science, Fitzpatrick dug a little deeper and discovered that the “DRM plugin” in question is actually Panasonic’s Marlin DRM — something we actually wrote about years ago, as an attempt to create an “open source” DRM. Though, amusingly, Fitzpatrick notes that the DRM comes with strong copyright warnings itself:
This Software Product is protected by copyright laws and treaties, as well as laws and treaties related to other forms of intellectual property. Panasonic Avionics Corporation or its subsidiaries, affiliates, ad suppliers (collectively “PAC”) own intellectual property rights in the Software Product. The Licensee’s (“you” or “your”) license to download, use, copy, or change the Software Product is subject to these rights and to all the terms and conditions of this End User License Agreement (“Agreement”).
How sweet. You need to abide by Panasonic’s rules when you install its security nightmare of a DRM you didn’t want, just to watch an in-flight movie.
And, really, after all this, people should be asking but why? What “threat” model requires United to force dangerous malware onto your computer? And the answer is likely that Hollywood requires it, because to Hollywood everything is a threat, and the idea that someone might be paying hundreds of dollars for flights and they might also then make a copy of a movie… well, that’s just too much to handle, and they have to first ask you to break your computer and put all your data at risk. Isn’t that sweet of Hollywood? Oh wait, no I didn’t mean sweet. I meant insane.
I’m sure that United Airlines didn’t think through much of this and the details when it agreed to these ridiculous terms. It just thought it was adding an option that sounded nice. Letting people have access to more entertainment options, including on their own devices sure sounds like a nice option for some passengers. But if it comes with forcing people to put their computers and information at risk, it gets problematic fast.
Filed Under: drm, flash, in flight entertainment, marlin, marlin drm
Companies: united airlines
Comments on “United Airlines Requires You To Install Special Brand Of DRM To Watch Movies On Flights”
It should go to show you how legacy and behind the times a large corporation is when it finally adopts something the rest of the online world is trying to phase out.
Why I no longer fly United...
At least on Southwest, they don’t bother with this cruft. People flying are usually not interested in pirating movies and stuff – only in making a boring trip slightly less so!
Also, United charges for each checked bag. Southwest? 2 free. Yes, each additional is $75USD extra, but heck, 2 check-in bags for free? Works for me!
Re: Why I no longer fly United...
Surely you jest…
To watch a movie during a Southwest, they made me install an app on my android device directly from their site (an APK file i’m supposed to simply trust) – and that app refused to run on my Cyanogenmod-laden android device.
Sounds like DRM to me.
All of this happened AFTER I entered the coupon code for a free in-flight movie that I received in the mail… and I wasn’t able to use that coupon again.
At that point, I decided it was pointless to even bother complaining about it… now I just bring my own pre-ripped movies with me on my device so I can watch them at leisure.
I fly Southwest at least once every couple months, and sometimes twice a month.
Taking a page from the wrong book...
“Most users are okay with it.” – Veriz^H^H^H^H^H United
A nice distraction
Here at United, recent events have led us to make sure we keep our planes, and it’s passengers, as safe as possible. To that end, we are asking you to install this little package that will make hackers focus on getting into your system (which we are amazing as easy for them as we can) I stead of ours, because your safety in this aluminum tube is paramount.
That, and if you get hacked, it makes our ceo feel better about us getting hacked, since it happens to everyone. And we’d hat to make our ceo cry.
Thank you for helping us keep you safe!
*notice: unless you happen to have any sensitive information of your computer, and only until you get home anyway, at least we hope, really. But we are sure you don’t and will be fine, just fine.
I think you need to pick up a dictionary and learn what malware is. You jump straight to malware without a shred of analysis of said software.
DRM assumes you are a potential criminal by default (it’s an overreaching preemptive policing). So you should symmetrically assume DRM is malware by default. It’s perfectly correct to call DRM malware, same as DRM calls you a criminal.
Umm… it’s DRM. And this particular DRM it doesn’t even try to hide; it openly proclaims itself as such. What further analysis is needed? What grounds are there to doubt that it’s malware when it doesn’t even bother denying it?
Re: Re: Re:
I think AC’s question was, why should DRM be called malware, and not whether it depends on DRM being hidden or not.
Re: Re: Re: Re:
Malware pretty much by definition uses the promise of useful software to get you to install it, but in doing so also installs a security nightmare. Between Flash and NPAPI, that’s what this DRM scheme does.
Not that the DRM scheme is of any use to the user.
Re: Re: Re:2 Re:
That was me above. Yeah, DRM can be treated as malware because of its intent. See my comment below.
Re: Response to: Anonymous Coward on Jul 22nd, 2015 @ 10:05am
It’s not the definition of malware that’s at issue it’s the definition of DRM.
Malware: software that is intended to damage or disable computers and computer systems.
DRM is software that is intended to (unnecessarily) disable features on your computer. Therfore DRM = Malware.
Re: Re: Response to: Anonymous Coward on Jul 22nd, 2015 @ 10:05am
It’s easier to exaplain once you clarify the premise of DRM.
DRM is built on the idea of not trusting you (the user). I.e. it uses presumption of guilt to deploy some “measures” on your system (presumably to “protect” something from you, but in reality for who knows what). Since it’s overstepping acceptable bounds by its nature with its policing approach (it violates your privacy since it runs on your personal computer and system), it should be treated as a security / privacy threat.
I.e. since it doesn’t trust you and goes out of its way to mess up your system based on that, you should not trust it in return, since trust should depend on mutuality.Thus it can be called malware.
The DRM does nothing whatsoever for the user.
It requires you to install Flash, such a widely recognized security nightmare that Firefox blocks it and even Facebook’s security chief wants Adobe to kill it off.
It’s plugin uses NPAPI, “which is a security nightmare and is no longer supported in Chrome for security reasons.”
In what way is “malware” not justified?
Re: Re: Re:
Firefox only blocked Flash for a day until Adobe fixed the security problem in Flash–which was within 24 hours after they vulnerability was made known publicly.
All software has similar flaws–even Firefox.
Re: Re: Re: Re:
It wasn’t just that Flash opened a major security hole. It’s not just that Adobe has known about it for seven months but ignored it until now. It’s not just that we learned about it from it being widely exploited – where these days security holes are commonly discovered by researchers and the race is to patch them BEFORE they’re exploited.
It’s that this is happening every few weeks for Flash. Yes, other software has flaws. But not like this. A new OS, maybe, but not an animation player.
Re: Re: Re: Re:
It’s not just that the DRM plugin itself isn’t something you would voluntarily want on your system.
The entire infrastructure and method of distributing these kinds of plugins (NPAPI) being used has been recognized as a security nightmare for years.
What NPAPI does is allow any random website that has something embedded that requires a plugin to point to any random location the website wants as a source to get that plugin. Depending on browser settings, it may download and install the plugin automatically, or pop up a window like what is described. The large majority of users will just click accept on the window. This is why Chrome does not allow it. Mozilla has greatly modified how it works in Firefox to only point to Mozilla’s trusted plugin library. I believe Opera does not allow it either (they use something similar to Chrome).
United’s solution to how to play video on someone’s device looks identical to one of the most popular ways to spread malware from a decade ago – the “video codec plugin” scam.
Re: Re: Re: Re:
“Notice the more detailed instructions to get it to work in Chrome (and the earlier note about how this system doesn’t support Chrome)?”
…which was how long after Adobe was first aware of the issue? Which was major security issue number.. what… in the last few years? People are losing count. Add the resource hog nature and the fact that modern browsers have an alternative solution built in – why is this a necessary product to have? Regardless of the risk, it’s an unnecessary one.
“All software has similar flaws–even Firefox.”
Indeed. But nobody’s ever tried demanding I have Firefox installed in order to do something – if I’m unhappy with the quality of the software, I use the solution I’m happy with.
Re: Re: Re:2 Re:
Hmmm… my first quote above pasted something else for some reason, but obviously it was meant to be the first part of the post I replied to..
“You jump straight to malware without a shred of analysis of said software”
If you are presented with mystery-meat software like this, considering it malware by default is the correct thing to do.
Re: Re: Re:
Given Adobe’s track record it is best to consider their software either malware or malware helper software that
leaves open doors for malware from other sources. .pdf and flash both are common vectors for malware infection.
Or I can just download/rip some videos I actually want to watch and have fun without opening huge gaps in my security.
Really, Hollywood moans about piracy but they make a huge effort to turn anything other than pirating an incredibly annoying, intrusive and potentially expensive experience.
It’s okay though, because they only do it to their valued, non-infringing, paid up customers who’re doing what they can to comply with rightsholders’ wishes. Anyone who tells them to go piss up a rope doesn’t need to worry about it.
It’s like they have the corporate version of suicidal tendencies.
I really like how the Chrome team is so concerned security and unwanted software, but yet Chrome itself comes with a forced installation of Google Updater, a program that installs without user permission, without even informing the user that it will be installed, which runs all the time in the background, which installs two new services, which makes about 200+ registry entries and which is a royal pain in the ass to get rid of.
Google claims that it will uninstall itself when you have no more Google software on your system. It was installed on my system when I mistakenly neglected to uncheck the option to install Chrome while updating my anti-virus (If Chrome is so great, why do so many other program try to trick you into installing it?). Although my firewall blocked the download and installation of Chrome, the updater was installer and I discovered it still happily running a month later. After manually removing the services, the files, running a registry cleaner and deleting a bunch of missed entries by hand, I still have two Google entries that I can’t remove.
If the Chrome team is so dedicated to preventing malware installation, why don’t they start with the malware that’s included with Chrome itself?
Re: Re: Re:
So it’s OK to try and trick users into installing software that they may not want if it’s in the name of protecting them?
Re: Re: Re:
Companies can want me to use anything they like. They can even recommend their preferences to me.
What’s not OK, ever, is to sneakily install software.
Re: Re: Re: Re:
Which is why I hate the practice of making the extra software opt-out and often making the options themselves quite small at the bottom of the page so that people can easily overlook them.
Many years ago, when the official DivX codec was actually still being used by people, their site originally provided a codec-only download. Then they started bundling it with the DivX player, which wasn’t optional and which they forced users to install over many objections.
Finally, they started bundling the Google Toolbar with the download. Several people, myself included, had the toolbar install without ever seeing any notice that this would happen. The developers swore up and down that this was impossible. One user eventually figured out that the page in the installer that contained the Google Toolbar options didn’t show up immediately when the Next button was clicked. Instead the previous page remained displayed for an additional five seconds or so, leading people to think that the click hadn’t registered and so they would click again “agreeing” to the Toolbar page without ever having seen it. Of course the next page came up immediately. This was all posted to the official DivX forum. I personally verified that this is what was happening and also posted this on the forum. The only response was silence.
After a month or two and many more complaints of the Toolbar being installed without permission, one of the DivX developers “discovered” a “rare” condition that could result in the Google Toolbar options not being displayed for a “tiny percentage” of users. When I pointed out that this problem had already been documented by a user in their forum months ago and confirmed by others, I was told that THAT problem didn’t exist and that THIS problem was completely different!
When I asked why they were even including the Google Toolbar (bundling third party software was a new idea at the time) in the first place, the developers insisted that it was just because they thought it was such a great piece of software that everyone should have it. I made a royal pain in the ass out of myself (hard to believe, I know!) over this and finally after a lot of nagging and arguing, they admitted that they were getting paid to include the Toolbar.
I’ve been against bundled software ever since. When I download a program I only want that program and nothing else. I won’t even use a “download manager” as is required by many formerly respectable download sites. They promote such programs as being more reliable and faster than using the browser’s download option. I already have a generic download manager/accelerator. Theirs is just a way to push advertising and other crap on the user.
Also to the point of the updater not getting rid of itself. How well do you trust that chrome install, did you get it directly from google or could it have been pre-loaded with malware when you installed it. If you get it directly from google did you check the cryptographic signatures (MD5 sums). It isn’t paranoia when there are crooks and criminals out to get you.
Re: Re: Re:
The Chrome installer was included as part of the Avast antivirus update, which was obtained directly from Avast itself. It seems it’s now perfectly OK for anti-virus companies to bundle unwanted software with their programs. I’d say it would be enough to make me switch, but pretty much everyone is doing this now. It’s rare that you can download any piece of freeware today without it trying to get you to install something else.
Normally I’m careful to uncheck all such options, but in this particular case I was in a bit of a hurry and I neglected to uncheck the options for Google Chrome which were located at the bottom of the window and which were very unobtrusive so as to not be easily noticed. As soon as I clicked the Continue button, my firewall alerted me that the Chrome installer was trying to access the internet. I told it to block the installer and after several attempts, it finally gave up. I figured that the entire install had been averted, but about a month later I was looking in the Task Manager and I noticed that there was Google Updater process running.
Google doesn’t provide any kind of removal tool for the updater and obviously the self-removal mechanism doesn’t always work since it was still running even though I have absolutely no Google software on my system. I wasn’t about to download and install Chrome just in the hope that uninstalling it would properly remove the Updater.
When Chrome first came out, I considered it just another browser that I might one day try. However after seeing how half the freeware programs on the net try to trick you into installing Chrome and how the Updater installed itself even when the main installation was blocked and continued to run for a month even though there was nothing on my system to update, I’ve vowed that no piece of Google software will ever touch my system.
Doesn’t HTML5 do DRM automatically without a plugin?
No; the HTML DRM video tag requires some form of plugin [that comes from Adobe]. It may be something built into the browser in a non-plugin manner, but I’m not sure.
Firefox was the latest holdout on making this rendition official as part of HTML5, but eventually they gave in
Jeffry Houser is correct. This was the Big Lie of the forced inclusion of DRM support in HTML5. DRM still requires you to install a plugin, just like it always has before. The only real difference is that they don’t call it a plugin anymore.
So United declares openly that it distrusts its own customers and expects them to behave without honor. What I don’t get is why anyone would voluntarily pay to put their lives in the hands of a company with such attitudes. If they won’t trust me, it probably reflect the distrust they feel they themselves have earned. They expect you to treat them the way they know they treat you – it’s a sort of mirror principle. Why on earth would I trust such people with my life?
To give them the benefit of the doubt, I’m sure someone at Universal realized this was problematic. Just maybe not someone in a decision-making role. Alternatively, someone in a decision-making role DID realize the problem here and thought “OK, so a few copyright wonks and security people on the Internet will freak out but 99% of our customers won’t give a shit. They’ll install whatever we ask and leave with fond memories of being able to watch Agents of SHIELD on their laptop on the flight”.
Now that I re-read this, both of those options actually make United look worse than they did under Mike’s theory. So much for giving them the benefit of the doubt.
Remember Sony's Rootkit DRM
Wasn’t Sony’s rootkit an attempt to DRM music CDs? The UAL DRM may or may not be worse than Sony’s DRM, but I’d stay clear of it. If one wants to watch movies on a plane flight bring your own DVDs or store them unencrypted on your computer’s/tablet’s memory as suggested above.
Re: Remember Sony's Rootkit DRM
Which will probably make the TSA who checks your unencrypted laptop for terrorism tattletale about you to the authorities for circumventing the DVD’s “DRM”.
Meh, who cares about watching a crummy, heavily edited box office bust anyway? Most savvy travelers avoid the lousy in-flight entertainment already. I’m guessing most of the people knowledgeable enough to complain about this probably don’t rely much on what the airlines offer. Everyone else will have to figure out whether its worth the bother.
This comment is protected by DRM
This comment is protected by copyright laws and treaties, as well as laws and treaties related to other forms of intellectual property. Panasonic Avionics Corporation or its subsidiaries, affiliates, ad suppliers (collectively “PAC”) own intellectual property rights in the Software Product. The Licensee’s (“you” or “your”) license to download, use, copy, or change the Software Product is subject to these rights and to all the terms and conditions of this End User License Agreement (“Agreement”).
If you do not accept this agreement, please reformat your hard drive to prevent unauthorized distribution of this comment.
Flash Drive Forest
Bring your own in flight entertainment.
A 20 gig flash drive can store hours of movies to watch without having some corporate entity install questionable software on your machine.
Not a problem for me.
I’ll just bring my laptop with VLC installed on it and this file on its hard drive and they can keep their dodgy plugins:
Guardians Of The Galaxy 2014 1080p IMAX BRRip x264 DTS-JYK.mkv
Re: Not a problem for me.
Congratulations on openly admitting to theft. Post reported.
Re: Re: Not a problem for me.
How do you know I didn’t buy the Blu-Ray?
My computer, my file, open source media player — under my control.
You go ahead and play Russian roulette with dodgy proprietary software if you like.
Re: Re: Re: Not a problem for me.
How do you know he PUBLISHED the file? Because copyright happens to be about publishing, not about receiving or downloading something. And the technical term for PUBLISHING would be “copyright infringement”
NSA sure loves Flash.
More poutrage from Techdirt? Oh no, heaven forbid they want to protect movies in their own service. It’s totally going to kill you to install something huh? Or, you know, you could stop whining like a baby and just download an iTunes movie or whatever before you go? Geez.. what a bunch of babies.
Charming. Did you get that “word” from Wired?
More DRM (malware) encumbered, not worth a plugged nickel trash from Hollyweird? Naa. I’ll just read a book, bought second hand or obtained from a library so I won’t be supporting your master (or consequently, you). Sold many buggy whips lately? Have you stopped beating your wife yet?
And they never clean up...
Do they at least offer a decent uninstaller?
Do they prompt the user to remove the DRM-software after the movie played?
I guess a lot of people would like to remove that piece of crap from their system once they find out their son/daughter installed it during flight…
Re: And they never clean up...
Change “people” to “employers” and “son/daughter” to “employee/contractor” and you have me. It’s always been amusing to me that I’d ask my prospective client if I could use my own laptop on their network, and they refused every time, not wanting my machine to have a chance to screw up their network. So, I had to use a work supplied box. I couldn’t care less what happened to that box. I’d happily click yes until the sun goes down on anything.
If they’d have let me use my own, I would have cared about security. Using theirs, I could rely on their wipe and re-image procedures.
That “no BYOD” policy makes sense for non-techs, but the opposite is true for techs.
“[…] do I need to purchase Internet to download it […]”
Sir… sir? Ah yes, I’d like to purchase a couple of Internets please.
Shoot the Messenger
United isn’t a “tech” company. The proper party to attack is Panasonic.
These Panasonic Aero systems have ALWAYS been software pieces of shit. Virtually everyone has been on a flight when these systems were required to be “rebooted” – which takes 15 or 20 minutes. They are built on the usual Microsoft bullshit subsystem. So it’s no wonder they’re worried about threats to the system.
Go after Panasonic. United is getting screwed along with the rest of us for relying on such a poor vendor.
Re: Shoot the Messenger
Go after United as well. After all, United decided to use the Panasonic system, so they aren’t without blame.
You know there's a problem...
… when a website has to give the user detailed instructions on how to and disable the browser’s security settings to watch a movie.
Really, there’s nothing wrong with our plug-in. Trust us, turn off your security settings.
Well, I read most of the comments and I felt that there has not been any kind of appreciation for the things people do at United.
I understand everyone has different opinions and we all like to have the luxury at the cheapest price, but when I look at it sometimes overall, as a flyer for over 40+ years, I think we should appreciate the people who transport us from one place to another place safely. I understand that there are so many issues, but imagine, these few things should not be disturbing us, but we should be thankful that they try their best to take us to our destinations safe. Whichever airlines it is is, I am not worried, but we should really give them Kudos to those pilots, the stewardess, from the time we checkin and all those people. Just a little appreciation would be always good.
We can bitch and complaint about several things that airlines do not do or offer, but SAFETY should be the first concern.
Thank you all just felt like writing it
Hmmm… what about that “Anonymous Coward 0” meme again? Good DRM shouldn’t deceive.
Almost makes me think of the moment where I was going to buy in-flight Wifi from these guys for $5. I ended up using Google cache and AMP to read articles instead. Fun stuff.