Last week a question was brought to my attention by a network administrator who wanted to allow users to listen online music on some web sites, but prohibit them to download(illegally) the songs they listen.
Lately, as you may know, some web sites become quite popular because they allow their users to listen for free music “legally”(the part with legally is what these web sites claim, if they say so, could be so –:) ).
But what’s the difference between listening a song and downloading it from some web sites ?
(their is “” because actually these computers likely aren’t the users’ computers, are the company’s computers, unless there are some privately owned laptops allowed in some section of the network or so).
Now, seriously, if these are only on paper how do they plan(if any) to stop the users doing what they should not do ?
Google a little bit, and, at no surprise, I found some “solutions” used by some to “download” some songs, some of these methods were quite amusing(like record the sound, but make no sound when you do that or else –:) ).
Decided to fire Wireshark and to take a look.
After a few seconds later, game was over, take a look yourself, if you know what I mean(the fun part is how they would “protect” what would be obtained bellow –:) ):
I’ve looked at a couple of such popular web sites, same story(not all used the Transfer-Encoding: chunked).
So what’s the difference between listening and downloading from some web sites ?
Right now, maybe none in practice, only on paper.
And that may be bad news for the associations “fighting” against piracy. Sheesh… and rolleyes… (not that I agree with piracy, but I generally disagree with the way these associations decide to “fight”).
The “action” takes place over HTTP, the browser sends a POST or GET request to the server(there isn’t necessarily a particular file requested so that a user to simply follow or re-construct the link), and the server will reply with an HTTP 200 OK message that is particular of “interest”, something like bellow(gotta love their cache control, I did not check what the browser “stores” in its temp folder though):
So if you are a network administrator interested in blocking users’ access to such web sites from the corporate network, well, this is not difficult, a product like the future Forefront TMG can deal easily with those, either using the new URL Filtering feature or block the undesired content type. Or using for example with ISA Server a related add-on from Websense or GFI will also help you with this problem(and many other problems too).
If you want to allow users to listen the songs(assuming these web sites are legal), but not to download them, for the moment this may be a quite difficult task for the corporate firewall –:), and you should start applying stronger policies over what software users can install on the corporate computers(as you already should did). Actually if you didn’t do that already, there might be more serious issues for your network than having users illegally download a song priced at 1$ or so on Amazon.